| 1 |
On Monday 08 September 2003 03:40, Jan Krueger wrote: |
| 2 |
> On Sunday 07 September 2003 20:35, Jon Portnoy wrote: |
| 3 |
> > What, that any situation involving installing software is going to have |
| 4 |
> > security holes? That's the nature of software installation. |
| 5 |
> |
| 6 |
> Installing software at the end comes down to putting files at the right |
| 7 |
> place. (on windows you would add: modifying the registry) |
| 8 |
> |
| 9 |
> So thats exactly what portage should do: put files at the right place. |
| 10 |
> |
| 11 |
> The ebuilds may play in the sandbox whatever game they like. |
| 12 |
> It should however in no way possible for them to wipe your box. |
| 13 |
> |
| 14 |
> You agree? |
| 15 |
> |
| 16 |
> Jan |
| 17 |
> |
| 18 |
|
| 19 |
Please take a look at the sys-libs/db ebuilds. They use a function (from an |
| 20 |
eclass) that is needed to ensure that uninstalling versions which are the |
| 21 |
newest installed version works. Not having that code would actually introduce |
| 22 |
a hard to diagnose bug if people downgrade. The code is fairly simple, but |
| 23 |
certainly necessary. If you disagree, please suggest a better way to do the |
| 24 |
same thing. Also I don't see why removing postinst introduces much added |
| 25 |
security. Any application can introduce a trojan in a patch (more obscure |
| 26 |
than an ebuild) that gets installed suid root. There is no way you are going |
| 27 |
to notice without stringent security measures, and packages get installed to |
| 28 |
be runned. |
| 29 |
|
| 30 |
Paul |
| 31 |
|
| 32 |
-- |
| 33 |
Paul de Vrieze |
| 34 |
Gentoo Developer |
| 35 |
Mail: pauldv@g.o |
| 36 |
Homepage: http://www.devrieze.net |
Archives