Am Montag, 8. November 2010, 13:51:20 schrieb Robert Schweikert:
On 11/08/2010 07:23 AM, Adrian Schröter wrote:
Am Dienstag, 2. November 2010, 21:17:37 schrieb Robert Schweikert: ...
One of the gory details would be to skip packages in projects like "bleeding-edge" during the automatic collection. But I beleive there is already a flag for things like that already, if I recall a discussion on this list correctly.
I just want to point out the security impliciation in doing this.
If it is known, that it is done in this way, it is horrible easy to build a package which would get installed in any case, if you add such a repository.
And this package can do anything with your system. Getting root access on any system, sending your credit card number to server X and so on.
Doing this is so horrible dangerous that I would even think that the usual "we are not responsible" agreements in license texts would not help you in court anymore. Simply because this not only careless, but actually more an already prepared attack to all opensuse systems. #
I guess you are saying that our devel projects are not save. So maybe we shouldn't provide repositories for the devel projects? AFAK we do not have an extra disclaimer w.r.t. security or other things for devel projects. Thus your concern would apply today.
It does apply today also. You should be carefull which repo you add to your system. But if you simply create one big repo and copy blindly all stuff from a high number of projects your risk is way higher. Because even maintainers of some simple corner case applications (which you would never install yourself) have root access to your system. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org