| 1 |
On Tuesday 09 September 2003 12:19, Stuart Herbert wrote: |
| 2 |
> That would not be cool at all. pkg_postinst is *the* one place in the |
| 3 |
> ebuild where we can do things that need to be done on the live filesystem |
| 4 |
> or the machine at large. Sandboxing this would not be helpful. |
| 5 |
|
| 6 |
Well, what needs to be done on the real filesystem anyway? What can't be done |
| 7 |
inside a sandbox and then copied over to the live filesystem after the admin |
| 8 |
says it's ok? Just theoretically, make no assumptions about how difficult it |
| 9 |
might be to not do it to the live filesystem. It might in fact be very |
| 10 |
difficult. |
| 11 |
|
| 12 |
Of course I'm not speaking of convenience, thats always the problem with added |
| 13 |
security, it's often more difficult to handle (and that;s bad, easy security |
| 14 |
is the best I think, as people tend to find ways around the difficult to |
| 15 |
handle things to make their lives easier). I'm all for security like Jan, |
| 16 |
though his approach still has the major problem of a compromised master tree. |
| 17 |
The one problem that can only be circumvented by signing everything and |
| 18 |
keeping the signing keys away from the master tree. At least I can't think of |
| 19 |
anything else. That's what I wanted to point out. |
| 20 |
|
| 21 |
> By the time the ebuild is being executed on your machine, it's already too |
| 22 |
> late. If security is what you want, you need something that'll stop the |
| 23 |
> code running in the first place. |
| 24 |
|
| 25 |
Exactly. As said, even that sandboxing wouldn't help against the scenario Jan |
| 26 |
was referring to all the time but just make the writing of ebuilds (and |
| 27 |
portage) more complicated. |
| 28 |
|
| 29 |
|
| 30 |
Alex |
| 31 |
|
| 32 |
|
| 33 |
-- |
| 34 |
gentoo-dev@g.o mailing list |
Archives