[users] Request and a bug: gksu
Todd And Margo Chester
toddandmargo at gmail.com
Thu Jun 9 18:14:24 CEST 2011
On 06/07/2011 02:50 PM, Yury V. Zaytsev wrote:
> On Tue, 2011-06-07 at 12:35 -0700, Todd And Margo Chester wrote:
>> I am still stuck on if it is a security hazard in el6, why is it not also a
>> security hazard in el5? I presume that the dependencies in the RPM
>> would take care of anything that is different.
> This is, in fact, a very wrong assumption. RPM will not take care of it.
> RPM always assumes that the packages are coming from an appropriate
> channel and only tries to detect situations when there is a danger of
> inducing direct damage to the RPM database (unsatisfiable dependencies,
> wrong checksum / file corrupted, wrong signature etc.)
> If you keep mixing things, you are totally on your own. In the very best
> case it will detect some obvious linking problems, but not more than
> that. Possible pitfalls:
> 1) Library SONAME didn't change (i.e. functions get added), and the
> program uses new ABI, you install the RPM on the old system
> 2) Interpreter version is not recorded in RPM, software incompatible
> with newer/older Python
> 3) Few hundred others...
>> The code itself is still the code itself -- the code has not changed.
>> If it is safe in one, it should be safe in the other. I am clearly
>> not getting your point.
> You know, you should really get some basics right first. Sorry for that.
Thank you for the education.
Follow up question: if I were to skip the RPM process and just compile
the app from the/a tar ball, would that remove your security concerns?
More information about the users