Local users get to play root?
Dennis J.
dennisml at conversis.de
Wed Nov 18 18:49:26 UTC 2009
On 11/18/2009 07:30 PM, Seth Vidal wrote:
>
>
> On Wed, 18 Nov 2009, Dennis J. wrote:
>
>>
>> In fact I agree with you but this doesn't really address my point.
>> How do you make sure the packages that are part of your minimal list
>> don't introduce such a backdoor with the next update?
>
> You check them.
>
> That's the best you can do.
>
> It's just like anything else:
>
> How are you sure no one introduces a package into 'updates' which
> obsoletes glibc? We check them and hope we catch problems.
Changing policy is not the same as introducing a problem. There should at
least be a process for packages to go through if they want to make changes
like PackageKit did so that this kind of thing shows up on peoples radars
earlier can be peer-reviewed and if necessary be mentioned in the
release-notes. Also these changes should probably not be introduced for
updates between releases.
My basic point is that changes that allow packages to elevate their
privileges should set of some process based formal alarm when they are
introduced rather than being discovered by accident after a release.
Regards,
Dennis
More information about the fedora-devel-list
mailing list