Re: how to 'rip apart' a rpm.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Genes MailLists wrote:
> Whilst I agree we should be as careful w root as possible - if
> someone is willing to install a binary rpm as root - how is that
> more secure than building the source to the same package?

One of the main concerns I have with building is broken Makefiles.
Say you're rebuilding a package from Fedora and updating it to a newer
upstream version.  It could happen that upstream has changed their
Makefiles (or more likely, the automake files used to generate the
Makefiles).  If something like DESTDIR gets forgotten, you could end
up removing or overwriting system files during the build.

Once the package is built, you can inspect the binary rpm to see what
files it provides, and if it tries to provide files that are already
provided by a different package, rpm will complain loudly about the
conflicts when you try to install it.

And yeah, the concerns are greater for non-fedora packages which may
not have had the benefit of a decent review (though not all Fedora
packages get that either).

In general, it's just a matter of best practice to build as a non-root
user.  Ideally, you don't want to build as your normal user either, to
prevent files like your ssh or gpg keys or other sensitive files from
being exposed to a potentially buggy and/or malicious build
environment.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There is considerable overlap between the intelligence of the smartest
bears and the dumbest tourists.
  -- Park ranger yro.slashdot.org/comments.pl?sid=191810&cid=15757347

Attachment: pgpQl93C4HuPg.pgp
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux