On 11/08/2010 07:23 AM, Adrian Schröter wrote:
Am Dienstag, 2. November 2010, 21:17:37 schrieb Robert
One of the gory details would be to skip packages
in projects like
"bleeding-edge" during the automatic collection. But I beleive there is
already a flag for things like that already, if I recall a discussion on
this list correctly.
I just want to point out the security impliciation in doing this.
If it is known, that it is done in this way, it is horrible easy to build a package
which would get installed in any case, if you add such a repository.
And this package can do anything with your system. Getting root access on any system,
sending your credit card number to server X and so on.
Doing this is so horrible dangerous that I would even think that the usual "we are
not responsible" agreements in license texts would not help you in court anymore.
Simply because this not only careless, but actually more an already prepared attack
to all opensuse systems. #
I guess you are saying that our devel projects are not save. So maybe we
shouldn't provide repositories for the devel projects? AFAK we do not
have an extra disclaimer w.r.t. security or other things for devel
projects. Thus your concern would apply today.
Robert Schweikert MAY THE SOURCE BE WITH YOU
Software Engineer Consultant LINUX
Making IT Work As One
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-buildservice+help(a)opensuse.org