[Bug 169716] Review Request: fortune-firefly
bugzilla at redhat.com
bugzilla at redhat.com
Tue Oct 4 17:27:09 UTC 2005
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: fortune-firefly
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169716
------- Additional Comments From mpeters at mac.com 2005-10-04 13:26 EST -------
(In reply to comment #19)
> Hmm... isn't that making it more complicated, though - requiring strfile on
> the builder's computers? dat files are noarch, and tiny - why not just
> include them? Every fortune addon rpm that I have on my system includes the
> dat file in the package.
Include it in the package, yes.
But generate it at build time - when rpmbuild is called, not beforehand.
Supposing there is a vulnerability in fortune that a carefully crafted .dat file
could exploit. By including the .dat file in the src.rpm - there isn't a way to
adequately audit the .dat file.
By instead generating the .dat file when the rpm is built, the file it is
generated from can be audited.
It isn't any more difficult for the user - the rpm they install still has the
.dat file. It is better for Fedora because Fedora knows exactly where the .dat
file came from - it came from the included text file, generated on the build
machine using the strfile from the Fedora approved and maintained fortune-mod
package.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fedora-extras-list
mailing list