RPM roadmapping

Gilboa Davara gilboad at gmail.com
Mon Jul 30 13:51:17 UTC 2007


On Sat, 2007-07-28 at 16:14 -0500, Arthur Pemberton wrote:
> On 7/28/07, seth vidal <skvidal at linux.duke.edu> wrote:
> > On Sat, 2007-07-28 at 14:53 +0000, Kevin Kofler wrote:
> > > Panu Matilainen <pmatilai <at> redhat.com> writes:
> > > >    - RPM is not an ftp/http client, it's a package manager.
> > >
> > > Am I the only one who things that being able to rpm -Uvh http://....rpm is a
> > > nice feature?
> >
> > it's not an issue of it being a nice feature - it is an issue of whether
> > it is a good idea to maintain the code. Keep in mind - rpm has its own
> > http/ftp client included. It's not using curl or wget. All its own code.
> > That seems a bit much to maintain esp when the majority of people using
> > rpm do it through a higher level language that already has a http/ftp
> > client.
> >
> > the best way to make rpm reliable and consistent is to strip out all
> > things that are unnecessary.
> >
> > -sv
> 
> I would imagine this opens RPM up to remote attacks too.

I second the above.
Running HTTP/FTP client as root is -not- a god idea.

Even if HTTP is being pushed to an external plugin that's built around
wget, this plug must be executed as user/guest and not as root.

- Gilboa




More information about the fedora-devel-list mailing list