[Bug 226377] Merge Review: rpm
Peter Jones
pjones at redhat.com
Wed Aug 29 20:12:19 UTC 2007
Jesse Keating wrote:
> On Fri, 24 Aug 2007 14:04:14 -0400
> "Tom \"spot\" Callaway" <tcallawa at redhat.com> wrote:
>
>> Even with a separate database, it will overwrite the files on the
>> system when rpm5 does an install/update transaction, and the rpm.org
>> db (the system database) will not reflect these changes.
>>
>> BOOM.
>
> Ah, but that should fall under the noconflicts barrier of inclusion.
> They have to make it know to not accept --root / or some such so that
> it can't be used to drop packages in the existing file system. If they
> can't do that, it can't come in. So we're still in the technical range
> without having to get political.
This is a rat-hole. That's not something that's reasonably
straightforward for it to check. Consider what happens when somebody
bind mounts / to /foo and then does "rpm5 --root /foo -Uvh bar.rpm".
If you make rpm5 force you to use --root, you still have the same problems.
--
Peter
More information about the fedora-advisory-board
mailing list