On Thu, 28 Jul 2011 15:34:34 +0200 Marian Ganisin <mganisin@xxxxxxxxxx> wrote: > On Wed, Jul 27, 2011 at 10:36:08AM -0400, Bernd Stramm wrote: > > > c) there's a spec about ~/.local/bin already accepted by a > > > friendly project > > > > This is STILL a security risk, even if somebody calls it a standard. > > This is STILL a claim without any proof, even if somebody repeats it > every time. You need proof that putting executables in hidden directories makes it easier to do phishing? > > Does everybody calling this "security risk" check periodically his > $PATH for a dot? (what does $PATH contain? don't look at it before > answering) Are you periodically checking your ~/bin (do you know > what's inside without looking there right now)? Are you periodically > checking your ~/.bash* startup files for suspicious aliases and > functions, includes? It creates more work for those who look in ~/bin. They now have to also look in a hidden directory. In addition to that, we now have precedence that a simple yum update changes where you have to look in your path inside $HOME. That is bad. Aside from that, adding more elements to $PATH makes things more messy, not cleaner. It slows things down. It creates more work for maintenance. For what benefit? -- Bernd Stramm bernd.stramm@xxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
