On 11/08/2010 07:23 AM, Adrian Schröter wrote:
Am Dienstag, 2. November 2010, 21:17:37 schrieb Robert Schweikert: ...
One of the gory details would be to skip packages in projects like "bleeding-edge" during the automatic collection. But I beleive there is already a flag for things like that already, if I recall a discussion on this list correctly.
I just want to point out the security impliciation in doing this.
If it is known, that it is done in this way, it is horrible easy to build a package which would get installed in any case, if you add such a repository.
And this package can do anything with your system. Getting root access on any system, sending your credit card number to server X and so on.
Doing this is so horrible dangerous that I would even think that the usual "we are not responsible" agreements in license texts would not help you in court anymore. Simply because this not only careless, but actually more an already prepared attack to all opensuse systems. #
I guess you are saying that our devel projects are not save. So maybe we shouldn't provide repositories for the devel projects? AFAK we do not have an extra disclaimer w.r.t. security or other things for devel projects. Thus your concern would apply today. Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU Software Engineer Consultant LINUX rschweikert@novell.com 781-464-8147 Novell Making IT Work As One -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org