1 |
On Wednesday 20 June 2007, Ned Ludd wrote: |
2 |
> On Wed, 2007-06-20 at 15:57 -0400, Mike Frysinger wrote: |
3 |
> > On Wednesday 20 June 2007, Marius Mauch wrote: |
4 |
> > > Mike Frysinger <vapier@g.o> wrote: |
5 |
> > > > mayhaps we need a new function to be run in src_install() to label |
6 |
> > > > files as "sensitive" ... so baselayout would do: |
7 |
> > > > esosensitive /etc/{fstab,group,passwd,shadow} |
8 |
> > > > and then we expand the format of CONTENTS in the vdb: |
9 |
> > > > priv /etc/fstab <hash> <mtime> |
10 |
> > > |
11 |
> > > And what would be phase 2 of that? Just having a new filetype |
12 |
> > > in CONTENTS doesn't accomplish anything by itself ... |
13 |
> > |
14 |
> > updating any tool that creates binary packages from the live $ROOT of |
15 |
> > course silly billy |
16 |
> > |
17 |
> > current behavior: |
18 |
> > # quickpkg baselayout |
19 |
> > * Building package for sys-apps/baselayout-1.12.10-r4 |
20 |
> > * Packages now in '/usr/portage/pacakges': |
21 |
> > * sys-apps/baselayout-1.12.10-r4: 307K |
22 |
> > |
23 |
> > proposed new behavior (exact output here is not part of the discussion so |
24 |
> > dont nit pick it): |
25 |
> > # quickpkg baselayout |
26 |
> > * Building package for sys-apps/baselayout-1.12.10-r4 |
27 |
> > * Skipping sensitive file: /etc/passwd |
28 |
> > * Skipping sensitive file: /etc/shadow |
29 |
> > * Skipping sensitive file: /etc/group |
30 |
> > * Packages now in '/usr/portage/pacakges': |
31 |
> > * sys-apps/baselayout-1.12.10-r4: 307K |
32 |
> > # quickpkg --iamsensitive baselayout |
33 |
> > * Building package for sys-apps/baselayout-1.12.10-r4 |
34 |
> > * Including sensitive file: /etc/passwd |
35 |
> > * Including sensitive file: /etc/shadow |
36 |
> > * Including sensitive file: /etc/group |
37 |
> > * Packages now in '/usr/portage/pacakges': |
38 |
> > * sys-apps/baselayout-1.12.10-r4: 307K |
39 |
> |
40 |
> Suggestion: |
41 |
> If you go down this "sensitive" route. please ensure that the |
42 |
> generated.tbz2 is mode 600 to prevent exposing this sensitive |
43 |
> data more than need be. |
44 |
|
45 |
that's a different bug which is already being addressed (and which lead me |
46 |
down this line of thinking in the first place) ... |
47 |
-mike |