-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 05:13:50PM +0100, Jan Kupec wrote:
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue?
I think so, there exists lots of attacks which exploit exaclty such races.
If yes, i can change it to a TmpDir existing during lifetime of zypper.
Please do.
OK, done. - -- cheers, jano Ján Kupec YaST team - ---------------------------------------------------------(PGP)--- Key ID: 637EE901 Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901 - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkhnM8ACgkQgEhGpmN+6QFIswCfb+WxaL5GA3ENe/Taxe5xos2t wv8An3BEBHrNwyVvbU4lofs8ZNxROBvo =tJoO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org