[zypp-devel] Re: [zypp-commit] r7726 - in /trunk/sat-solver: src/solver.c testsuite/deptestomatic.c tools/repo_content.c
* mlschroe@svn.opensuse.org
Author: mlschroe Date: Wed Oct 31 12:54:49 2007 New Revision: 7726
URL: http://svn.opensuse.org/viewcvs/zypp?rev=7726&view=rev Log: - allow downgrade for INSTALL_SOLVABLE
Be careful. Again, this is a policy. For the use case of "non-root user has rights to install updates", updates must be strictly monotic increasing. Otherwise its a security hole since this user could install older software with known risks. Klaus -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Am Mittwoch 31 Oktober 2007 schrieb Klaus Kaempf:
* mlschroe@svn.opensuse.org
[Oct 31. 2007 12:55]: Author: mlschroe Date: Wed Oct 31 12:54:49 2007 New Revision: 7726
URL: http://svn.opensuse.org/viewcvs/zypp?rev=7726&view=rev Log: - allow downgrade for INSTALL_SOLVABLE
Be careful. Again, this is a policy.
For the use case of "non-root user has rights to install updates", updates must be strictly monotic increasing. Otherwise its a security hole since this user could install older software with known risks.
Then the application doing the update shouldn't INSTALL_SOLVABLE a solvable it knows should not be installed. Hardly job of the solver. Greetings, Stephan -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
* Stephan Kulow
For the use case of "non-root user has rights to install updates", updates must be strictly monotic increasing. Otherwise its a security hole since this user could install older software with known risks.
Then the application doing the update shouldn't INSTALL_SOLVABLE a solvable it knows should not be installed. Hardly job of the solver.
Depends on the application <-> solver interface and where the 'access granted' decision is taken. According to security, this decision must not be taken by the application. So you have to enforce the 'do not downgrade' policy somewhere outside of the application. Klaus -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
Am Mittwoch 31 Oktober 2007 schrieb Klaus Kaempf:
* mlschroe@svn.opensuse.org
[Oct 31. 2007 12:55]: Author: mlschroe Date: Wed Oct 31 12:54:49 2007 New Revision: 7726
URL: http://svn.opensuse.org/viewcvs/zypp?rev=7726&view=rev Log: - allow downgrade for INSTALL_SOLVABLE
Be careful. Again, this is a policy.
What's worse: it breaks test cases that use
participants (2)
-
Klaus Kaempf
-
Stephan Kulow