Mono Package audit
Colin Walters
walters at verbum.org
Thu Apr 10 20:36:38 UTC 2008
On Thu, Apr 10, 2008 at 3:28 PM, Ville Skyttä <ville.skytta at iki.fi> wrote:
> It extracts rpm contents only with "rpm2cpio | cpio", not tarballs etc within.
Oh, I see, right.
> Not sure if running "rpmbuild -bp" would be considered a potential security
> issue, and I'd rather not even try re-implementing what %setup does to get
> around that (at least in upstream rpmlint; in Fedora it could use
> rpmdev-extract for that).
It wouldn't be very hard to write a SELinux policy for this, but I
guess people would still want a DAC solution.
Well, I think we do need some program to run for automated checks on
sources. If that can't be rpmlint, I guess a new one is in order?
More information about the fedora-devel-list
mailing list