1 |
On Tuesday 09 September 2003 12:19, Stuart Herbert wrote: |
2 |
> That would not be cool at all. pkg_postinst is *the* one place in the |
3 |
> ebuild where we can do things that need to be done on the live filesystem |
4 |
> or the machine at large. Sandboxing this would not be helpful. |
5 |
|
6 |
Well, what needs to be done on the real filesystem anyway? What can't be done |
7 |
inside a sandbox and then copied over to the live filesystem after the admin |
8 |
says it's ok? Just theoretically, make no assumptions about how difficult it |
9 |
might be to not do it to the live filesystem. It might in fact be very |
10 |
difficult. |
11 |
|
12 |
Of course I'm not speaking of convenience, thats always the problem with added |
13 |
security, it's often more difficult to handle (and that;s bad, easy security |
14 |
is the best I think, as people tend to find ways around the difficult to |
15 |
handle things to make their lives easier). I'm all for security like Jan, |
16 |
though his approach still has the major problem of a compromised master tree. |
17 |
The one problem that can only be circumvented by signing everything and |
18 |
keeping the signing keys away from the master tree. At least I can't think of |
19 |
anything else. That's what I wanted to point out. |
20 |
|
21 |
> By the time the ebuild is being executed on your machine, it's already too |
22 |
> late. If security is what you want, you need something that'll stop the |
23 |
> code running in the first place. |
24 |
|
25 |
Exactly. As said, even that sandboxing wouldn't help against the scenario Jan |
26 |
was referring to all the time but just make the writing of ebuilds (and |
27 |
portage) more complicated. |
28 |
|
29 |
|
30 |
Alex |
31 |
|
32 |
|
33 |
-- |
34 |
gentoo-dev@g.o mailing list |