Re: suggestion: rescue boot extension

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2010-06-03 at 14:05 -0400, Matthew Miller wrote:
> On Wed, Jun 02, 2010 at 04:02:21PM -0400, Jon Masters wrote:
> > > Hm. I can see the use of this, but I can also see issues with how you
> > > do updates for it sanely (if at all.)
> > Yea. I think you don't do updates for it in general. I think I agree
> > with Seth that this is something Anaconda stuffs in place when it
> > installs grub. Optionally, maybe you upgrade it once per release when
> > you next run Anaconda, but basically it doesn't change. It's about "get
> > me booted to more than a command line to fix stuff", not latest glitz.
> 
> This needs to be stated very clearly in the 'rules' for the feature. The
> environment should be kept minimal and rescue-focused, to reduce the risk of
> security vulnerabilities in the rescue tools. (What if there's an exploit in
> wget or curl that can be used to execute arbitrary code when you think
> you're just downloading an RPM to fix an issue?)

Agreed. But it is the same problem as "what if there's an exploit in a
library Anaconda uses to download repos during install?". There would
still be a lot of media out there and I'm not sure we've ever respun the
main images post GA for that, unless I'm just very wrong. As long as
we're very clear, I think it's ok.

Jon.


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux