[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On 11/18/2009 07:30 PM, Seth Vidal wrote:


On Wed, 18 Nov 2009, Dennis J. wrote:


In fact I agree with you but this doesn't really address my point.
How do you make sure the packages that are part of your minimal list
don't introduce such a backdoor with the next update?

You check them.

That's the best you can do.

It's just like anything else:

How are you sure no one introduces a package into 'updates' which
obsoletes glibc? We check them and hope we catch problems.

Changing policy is not the same as introducing a problem. There should at least be a process for packages to go through if they want to make changes like PackageKit did so that this kind of thing shows up on peoples radars earlier can be peer-reviewed and if necessary be mentioned in the release-notes. Also these changes should probably not be introduced for updates between releases. My basic point is that changes that allow packages to elevate their privileges should set of some process based formal alarm when they are introduced rather than being discovered by accident after a release.

Regards,
  Dennis



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]