[users] Request and a bug: gksu

Yury V. Zaytsev yury at shurup.com
Tue Jun 7 23:50:44 CEST 2011


On Tue, 2011-06-07 at 12:35 -0700, Todd And Margo Chester wrote:

> I am still stuck on if it  is a security hazard in el6, why is it not also a
> security hazard in el5?  I presume that the dependencies in the RPM
> would take care of anything that is different.   

This is, in fact, a very wrong assumption. RPM will not take care of it.

RPM always assumes that the packages are coming from an appropriate
channel and only tries to detect situations when there is a danger of
inducing direct damage to the RPM database (unsatisfiable dependencies,
wrong checksum / file corrupted, wrong signature etc.)

If you keep mixing things, you are totally on your own. In the very best
case it will detect some obvious linking problems, but not more than
that. Possible pitfalls:

1) Library SONAME didn't change (i.e. functions get added), and the
program uses new ABI, you install the RPM on the old system

2) Interpreter version is not recorded in RPM, software incompatible
with newer/older Python

3) Few hundred others...

> The code itself is still the code itself -- the code has not changed.
> If it is safe in one, it should be safe in the other.  I am clearly
> not getting your point.

You know, you should really get some basics right first. Sorry for that.

Sincerely yours,
Yury V. Zaytsev

More information about the users mailing list