Mailinglist Archive: opensuse (4344 mails)
| < Previous | Next > |
Re: [opensuse] apt-suser Security problem? (was: Re: [opensuse] Contrib repository)
- From: Víctor Fernández Martínez <vfernandez@xxxxxxxxxxxxxx>
- Date: Sat, 13 Aug 2005 00:34:13 +0200
- Message-id: <200508130034.14308.vfernandez@xxxxxxxxxxxxxx>
El Sábado, 13 de Agosto de 2005 00:14, Ken Schneider escribió:
> On Sat, 2005-08-13 at 00:04 +0200, Víctor Fernández Martínez wrote:
> > El Viernes, 12 de Agosto de 2005 21:18, Eberhard Moenkeberg escribió:
> > > There is no proof against a good guy turning bad some day...
> >
> > At least some people publish their .src.rpm so it would be possible to
> > take a look at the specfile. I really encourage everybody to publish
> > their .src.rpm's. Of course they still can publish a modified .src.rpm
> > which doesn't correspond to the real .src.rpm but if you don't trust
> > them, you can build the .src.rpm. Right now there's not much more you can
> > do.
> >
> > Anyway I don't think that's the bigger problem. The bigger problem is the
> > packages might be buggy or have broken dependencies and so on, perhaps
> > because some of them haven't been properly tested. That could mess an
> > installation or at least cause problems.
>
> Simple solution would be for the developers to install their own package
> on a clean install of the target OS and fix the dep issues or make sure
> the deps are available.
Yes but maintaining a clean install to test the packages is hard. You don't
really know how fast the "clean" install becomes a "dirty" install. ;) Or
perhaps you don't have the time to deeply test the packages and you assume
they work properly since everything seems to be ok.
--
Víctor Fernández Martínez
Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux
registrado #312284 en http://counter.li.org.
> On Sat, 2005-08-13 at 00:04 +0200, Víctor Fernández Martínez wrote:
> > El Viernes, 12 de Agosto de 2005 21:18, Eberhard Moenkeberg escribió:
> > > There is no proof against a good guy turning bad some day...
> >
> > At least some people publish their .src.rpm so it would be possible to
> > take a look at the specfile. I really encourage everybody to publish
> > their .src.rpm's. Of course they still can publish a modified .src.rpm
> > which doesn't correspond to the real .src.rpm but if you don't trust
> > them, you can build the .src.rpm. Right now there's not much more you can
> > do.
> >
> > Anyway I don't think that's the bigger problem. The bigger problem is the
> > packages might be buggy or have broken dependencies and so on, perhaps
> > because some of them haven't been properly tested. That could mess an
> > installation or at least cause problems.
>
> Simple solution would be for the developers to install their own package
> on a clean install of the target OS and fix the dep issues or make sure
> the deps are available.
Yes but maintaining a clean install to test the packages is hard. You don't
really know how fast the "clean" install becomes a "dirty" install. ;) Or
perhaps you don't have the time to deeply test the packages and you assume
they work properly since everything seems to be ok.
--
Víctor Fernández Martínez
Gabinete de prensa de PoLinux [www.polinux.upv.es]. Usuario de Linux
registrado #312284 en http://counter.li.org.
| < Previous | Next > |