RPM roadmapping
Robert Scheck
robert at fedoraproject.org
Mon Jul 30 19:00:39 UTC 2007
Evening,
On Mon, 30 Jul 2007, Panu Matilainen wrote:
>>>> the best way to make rpm reliable and consistent is to strip out all
>>>> things that are unnecessary.
hm. Looking forward to pyrpm and pyyum or however it is called, is it
necessary to keep rpm and yum at all? Neither pyrpm nor the pyyum depend on
rpmlib somehow. Isn't it overkill to have two implementations of the same?
Guessing a python rpm (written only in that script language) would make
many Red Hat people happy, because python is the Red Hat in-house defacto
standard, isn't it?
>>> I would imagine this opens RPM up to remote attacks too.
>>
>> I second the above.
>> Running HTTP/FTP client as root is -not- a god idea.
>
> Yet that's how all our depsolvers and the associated tools work...
Well. Seen from this point, we should download *all* files in yum and (...)
with an unprivileged account, check somehow and afterwards install as root.
Eggdrop for example avoids to be executed as root, but when you're hacking
this into wget...it's better not to complete this sentence.
Finally, having Neon support in RPM is IMHO just the same high or less risk
as having Neon support in Subversion. Why to castrate RPM at all? It looks
like just to get other non-named tools more deeply involved. And if this is
reason, there's from my POV no need to keep RPM in the current form. And a
stupid python hack could replace everything and should be written fast; can
somebody agree with me or am I already stamped as mailing list clown?
Greetings,
Robert
More information about the fedora-devel-list
mailing list