| 1 |
> Yes, thanks, I'll be using that now. However, I still think it's more |
| 2 |
> secure to do everything as a regular user (including running all the |
| 3 |
> portage code!) and only elevating to root permissions for actual |
| 4 |
> merges. Otherwise you spend more time running things as root, even if |
| 5 |
> you drop for the builds, and it's possible for a bug to prevent the |
| 6 |
> privileges from being dropped. Anyway, just wanted to make that |
| 7 |
> point, obviously it's up to you guys to decide. |
| 8 |
> |
| 9 |
|
| 10 |
Really though, it only becomes insecure if the source code can't be |
| 11 |
trusted. This has become a bit more complicated/worrisome lately since |
| 12 |
it has been demonstrated that malicious source tarballs with the same |
| 13 |
md5sum as as the originals could be used to attack a gentoo install. I |
| 14 |
think steps are being taken to remove this possibility from affecting |
| 15 |
portage, however. |
| 16 |
|
| 17 |
Steve |
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
-- |
| 23 |
gentoo-dev@g.o mailing list |
Archives