Some initial work on a patch [1] adding include= functionality to yum.conf has been submitted to bugzilla [2] for review and possible addition into the 2.1 branch. Some security questions came up in discussion with seth and I was hoping to solicit feedback from the list on whether anyone thought this to be a significant issue. First, includes are recursive. e.g. yum.conf may include a file that includes a file that includes a file ad infinitum. And, it is possible to include either local files or remote (http/ftp) files. The problem here is that it is (currently) possible for a remote file to include any other file. When the remote file is managed by the user this isn't a big deal but if repositories started providing files for users to include= in their yum.conf's, this could lead to security concerns in that the remote file can basically set arbitrary values in yum.conf (adding other repositories behind the scenes, etc). Or, if a remote file is compromised, it could point to some other repository URL without the user knowing, which may allow a malicious someone to update almost anything (in the absence of gpg). Should the responsibility of ensuring included files are "safe" be yum's or the user's? I would argue that the user should be responsible but that something should be noted in the yum.conf man page about discouraging using include on remote files that are not under the direct control of the user. -Ryan [1] http://devel.linux.duke.edu/bugzilla/attachment.cgi?id=24&action=view [2] Bugzilla for include= http://devel.linux.duke.edu/bugzilla/show_bug.cgi?id=62
