Genes MailLists wrote: > Whilst I agree we should be as careful w root as possible - if > someone is willing to install a binary rpm as root - how is that > more secure than building the source to the same package? One of the main concerns I have with building is broken Makefiles. Say you're rebuilding a package from Fedora and updating it to a newer upstream version. It could happen that upstream has changed their Makefiles (or more likely, the automake files used to generate the Makefiles). If something like DESTDIR gets forgotten, you could end up removing or overwriting system files during the build. Once the package is built, you can inspect the binary rpm to see what files it provides, and if it tries to provide files that are already provided by a different package, rpm will complain loudly about the conflicts when you try to install it. And yeah, the concerns are greater for non-fedora packages which may not have had the benefit of a decent review (though not all Fedora packages get that either). In general, it's just a matter of best practice to build as a non-root user. Ideally, you don't want to build as your normal user either, to prevent files like your ssh or gpg keys or other sensitive files from being exposed to a potentially buggy and/or malicious build environment. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists. -- Park ranger yro.slashdot.org/comments.pl?sid=191810&cid=15757347
Attachment:
pgpQl93C4HuPg.pgp
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines