[users] Request and a bug: gksu

Todd And Margo Chester toddandmargo at gmail.com
Thu Jun 9 18:14:24 CEST 2011


On 06/07/2011 02:50 PM, Yury V. Zaytsev wrote:
> Hi!
>
> On Tue, 2011-06-07 at 12:35 -0700, Todd And Margo Chester wrote:
>
>> I am still stuck on if it  is a security hazard in el6, why is it not also a
>> security hazard in el5?  I presume that the dependencies in the RPM
>> would take care of anything that is different.
> This is, in fact, a very wrong assumption. RPM will not take care of it.
>
> RPM always assumes that the packages are coming from an appropriate
> channel and only tries to detect situations when there is a danger of
> inducing direct damage to the RPM database (unsatisfiable dependencies,
> wrong checksum / file corrupted, wrong signature etc.)
>
> If you keep mixing things, you are totally on your own. In the very best
> case it will detect some obvious linking problems, but not more than
> that. Possible pitfalls:
>
> 1) Library SONAME didn't change (i.e. functions get added), and the
> program uses new ABI, you install the RPM on the old system
>
> 2) Interpreter version is not recorded in RPM, software incompatible
> with newer/older Python
>
> 3) Few hundred others...
>
>> The code itself is still the code itself -- the code has not changed.
>> If it is safe in one, it should be safe in the other.  I am clearly
>> not getting your point.
> You know, you should really get some basics right first. Sorry for that.
>
Hi Yury,

   Thank you for the education.

   Follow up question: if I were to skip the RPM process and just compile
the app from the/a tar ball, would that remove your security concerns?

Many thanks,
-T



More information about the users mailing list