RPM roadmapping

Panu Matilainen pmatilai at laiskiainen.org
Mon Jul 30 18:16:18 UTC 2007


On Mon, 30 Jul 2007, Gilboa Davara wrote:

> On Sat, 2007-07-28 at 16:14 -0500, Arthur Pemberton wrote:
>> On 7/28/07, seth vidal <skvidal at linux.duke.edu> wrote:
>>> On Sat, 2007-07-28 at 14:53 +0000, Kevin Kofler wrote:
>>>> Panu Matilainen <pmatilai <at> redhat.com> writes:
>>>>>    - RPM is not an ftp/http client, it's a package manager.
>>>>
>>>> Am I the only one who things that being able to rpm -Uvh http://....rpm is a
>>>> nice feature?
>>>
>>> it's not an issue of it being a nice feature - it is an issue of whether
>>> it is a good idea to maintain the code. Keep in mind - rpm has its own
>>> http/ftp client included. It's not using curl or wget. All its own code.
>>> That seems a bit much to maintain esp when the majority of people using
>>> rpm do it through a higher level language that already has a http/ftp
>>> client.
>>>
>>> the best way to make rpm reliable and consistent is to strip out all
>>> things that are unnecessary.
>>>
>>> -sv
>>
>> I would imagine this opens RPM up to remote attacks too.
>
> I second the above.
> Running HTTP/FTP client as root is -not- a god idea.

Yet that's how all our depsolvers and the associated tools work...

 	- Panu -




More information about the fedora-devel-list mailing list