1 |
On Monday 08 September 2003 03:40, Jan Krueger wrote: |
2 |
> On Sunday 07 September 2003 20:35, Jon Portnoy wrote: |
3 |
> > What, that any situation involving installing software is going to have |
4 |
> > security holes? That's the nature of software installation. |
5 |
> |
6 |
> Installing software at the end comes down to putting files at the right |
7 |
> place. (on windows you would add: modifying the registry) |
8 |
> |
9 |
> So thats exactly what portage should do: put files at the right place. |
10 |
> |
11 |
> The ebuilds may play in the sandbox whatever game they like. |
12 |
> It should however in no way possible for them to wipe your box. |
13 |
> |
14 |
> You agree? |
15 |
> |
16 |
> Jan |
17 |
> |
18 |
|
19 |
Please take a look at the sys-libs/db ebuilds. They use a function (from an |
20 |
eclass) that is needed to ensure that uninstalling versions which are the |
21 |
newest installed version works. Not having that code would actually introduce |
22 |
a hard to diagnose bug if people downgrade. The code is fairly simple, but |
23 |
certainly necessary. If you disagree, please suggest a better way to do the |
24 |
same thing. Also I don't see why removing postinst introduces much added |
25 |
security. Any application can introduce a trojan in a patch (more obscure |
26 |
than an ebuild) that gets installed suid root. There is no way you are going |
27 |
to notice without stringent security measures, and packages get installed to |
28 |
be runned. |
29 |
|
30 |
Paul |
31 |
|
32 |
-- |
33 |
Paul de Vrieze |
34 |
Gentoo Developer |
35 |
Mail: pauldv@g.o |
36 |
Homepage: http://www.devrieze.net |