Hi, On Wed, 23 Apr 2008, Jan Kupec wrote:
Security)
libzypp now uses repo2solv.sh shell script from satsolver-tools to build the .solv files when refreshing the repository. It has been suggested that this could be a security issue. And if it is, why not use the rpmdb2solv, rpmmd2solv, susetags2solv, etc binaries directly depending on the type of repo (which we probably already know in libzypp)?
If anything, then not the shell script, but the converters itself are a security concern. It would probably be best if the converters (and shellscript) are run as "nobody", generating temporary files in some subdir (writable to "nobody"), and doing only the file moving part as root. Ciao, Michael. -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org