PackageCompiler stores REPL histories?

Hi,

just played around with PackageCompiler and has been surprised what I’ve found in produced “executable” (rather shared library executable stub calls). In that huge ~90MiB file for a simplest "hello world* program, there were lots of assumably REPL commands, not only mine but quite foreign probably “leaked” from various standard installed packages.

Not sure it is an intended behaviour but feels like a security issue, because REPL history may contain some sensitive data, not intended to be distributed around.

2 Likes

Are you sure these are not just part of the doctests that have been serialized? It seems easy to make that mistake if you just look at something like strings sysimage.dylib | grep julia\>. I don’t really see how a REPL history would end up getting serialized to the sysimage, no REPL should even be created when the sysimage is built so nothing should read the REPL-history file. But I might miss something, more details are needed to look at this properly.

4 Likes

Hmm, I can’t replicate the issue anymore :confused:

I’d swear I’ve found in that image many of my previous expressions typed in REPL, unrelated to sources being packaged. Not sure if that could have anything to do with former Julia installation from AUR sources v1.5.1 been replaced in the meantime with official prepackaged binaries.

I’m sorry for any possible inconvenience.

1 Like

As a note, if you feel you’ve found a security issue, it’s better to privately message one of the maintainers of the package instead of publicly announcing it, ref https://en.m.wikipedia.org/wiki/Responsible_disclosure.

2 Likes

Saying some of the commands from history of REPL being used makes sense for me. If you look at a post I put a few days ago (click here). There is a mysterious folder called “Tabriz” and it is empty created in the bin folder of the application, while there is nothing called Tabriz in my code and process as I explained there in details. When I did it on another computer, I didn’t get that folder. After reading your post I remembered I created a folder using mkdir command in Julia’s IDE about 2 months ago when I was explaining something to a friend.

Note that this is a much stronger claim than the original. In order to execute REPL history you would need to parse and eval things from code from the history file which is quite non-trivial and harder to do by accident than to just serialize a variable with a reference to the read history.

1 Like

Thanks for your reply :slight_smile: the codes and what I did is in my post in details, so it can be repeated by others and maybe one guide me what I’m doing wrong. I also have the output of the process untouched if it helps.