On 15/06/18 19:52, Przemek Klosowski wrote: > I have mixed feelings about that. On one hand, I agree that this is NOT > a serious security issue (it's essentially a local compromise requiring > an existing local compromise), so if someone claims it'll make their > life easier, I want to say 'just do it'. > > On the other hand, I am uneasy about the whole thing: the PATH ordering > only matters for system-provided software, so we're essentially either > acknowledging that we can't keep up with a decently updated > distribution, or accommodating a very small group that needs cutting > edge stuff that is not relevant to the vast majority of users. +1 This is now a very long thread dominated by the security questions like "what if?". Nothing bad in that, but we need to keep some focus also on the usecases to be able to make the inevitable trade-off between usability and security. The usecase represented by npm et. al. is important. To have the platform so secure that these environments doesn't work out of the box is probably to shoot ourselves in our feet. Cheers! ..alec _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/VWGIFKY7E3N4KCAGGH4E5RTXC5KMFX7W/
