On Mon, Sep 15, 2014 at 04:07:39PM +0200, Vít Ondruch wrote: > Dne 15.9.2014 14:28, Richard W.M. Jones napsal(a): > > On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote: > >> Every of the script is based on assumption that you already read some > >> library/unit whatever. But that is not enough. I wonder how you want to > >> detect that you need restart in case that I have something like this: > >> > >> $ ls > >> foo.rb > >> bar.rb > >> > >> $ cat foo.rb > >> > >> def some_function > >> require 'bar' > >> end > >> > >> And now > >> > >> 1) I run some application, which loads my foo.rb file. > >> 2) I later update the package which removes bar.rb file. > >> 3) And I call some_function which fails due to missing bar.rb > > How is this not 'foo' simply being broken? > > They might come from different packages. OK, in which case the package that needs bar was broken because it didn't express that need in its dependencies, nor guard against the possibility that bar was not installed. > Or there might be also another > level of requires, where bar.rb requires by baz.rb. In case that bar.rb > stays and baz.rb is removed, you still cannot predict that this will > fail in the future, since neither of these files was loaded before. In which case bar.rb was similarly broken, for the same reason as above. > Or there might be another example of code with similar issues: > > $ cat foo.rb > > def some_function > $files.each {|f| require f} > end > > $files = Dir.glob('*.rb') > > I.e. during initialization, you list available files and you want to > load them later, but at that moment, they are not there already. This code is still by any measure broken. There are lots of ways that such code could fail to work. Plainly what I'm trying to say is: If the potentially insecure code has been loaded into a Python process, and the python interpreter has the small modification that I suggested, then we will be able to detect that the insecure code is loaded into memory and flag the process/service as needing to be restarted. That's all. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct