From b730559381893042d0e6a9ba1492d1bf92a2e1e7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 26 Aug 2024 12:23:22 +0200 Subject: Adding upstream version 0.1.48. Signed-off-by: Daniel Baumann --- debputy.pod | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) (limited to 'debputy.pod') diff --git a/debputy.pod b/debputy.pod index 3ce9b90..7d08813 100644 --- a/debputy.pod +++ b/debputy.pod @@ -136,9 +136,9 @@ For packages that does not have the B field, B will result to can derive a style that all parties would agree too (or the team style for packaging teams), then that style will be used. -At the time of introduction, the B style is similar to that of B, since -that was one of the most common style according to L, But the style is -expected to evolve over time and the two styles may diverge over time. +The B style started as similar to that of B, since that was one of the most +common styles according to L, but the style is expected to evolve over +time and the two styles may diverge over time. The command accepts the following options: @@ -208,6 +208,12 @@ files. This command is useful for CI or for when you cannot use the language ser the same diagnostics as B would but without requiring an LSP capable editor as intermediate. The output is only intended for human consumption. Machine readable is not a goal at this time. +The B command is a form of static analysis and will not load nor execute code from the +code it is scanning. It is a security bug for B to violate this principle directly +or indirectly. Therefore, B can only provide diagnostics from libraries and tools that takes +this principle seriously. It also means that B will likely have false-positives for self-hosting +code, since it is not allowed to load the self-hosted code. + Note that at the time of writing, the B file is only B supported. If you have F, please also run B to get more thorough checks for that file for now. The B command will inform you about this issue in the output if a @@ -335,6 +341,21 @@ B will suffice (using the stdio transport). See B) or websocket (B<--ws>) plus related supporting options. +The B command provides several features including a form of static analysis in the +form of "as-you-type" diagnostics. For the diagnostics, is B not allowed load nor +execute code from the code it is scanning. It is a security bug for B to violate +this principle directly or indirectly. Therefore, B can only provide diagnostics from libraries +and tools that takes this principle seriously. It also means that B will likely have +false-positives for self-hosting code, since it is not allowed to load the self-hosted code. + +This security principle also applies to hover docs, completion suggestions and other trivial code editing +or viewing features. However, it is not universal, since certain LSP features are deliberately designed +to run the code you are viewing. As an example, B can provide a "code lens" (LSP term) +for building the current package. On activation of the code lens, B will trigger code from the +package to be run and that is expected. The critical points here are that the user most explicitly +trigger the feature and it must use terms commonly associated with running code such as B, +B or B (non-exhaustive list). + If you need to debug an issue with the language server, the TCP integration (B<--tcp>) can be quite helpful. In this mode, you run B in a terminal before starting your editor. This means you have direct and unfiltered access to the B command and its output. -- cgit v1.2.3