On Sat, 2007-07-28 at 16:14 -0500, Arthur Pemberton wrote: > On 7/28/07, seth vidal <skvidal@xxxxxxxxxxxxxx> wrote: > > On Sat, 2007-07-28 at 14:53 +0000, Kevin Kofler wrote: > > > Panu Matilainen <pmatilai <at> redhat.com> writes: > > > > - RPM is not an ftp/http client, it's a package manager. > > > > > > Am I the only one who things that being able to rpm -Uvh http://....rpm is a > > > nice feature? > > > > it's not an issue of it being a nice feature - it is an issue of whether > > it is a good idea to maintain the code. Keep in mind - rpm has its own > > http/ftp client included. It's not using curl or wget. All its own code. > > That seems a bit much to maintain esp when the majority of people using > > rpm do it through a higher level language that already has a http/ftp > > client. > > > > the best way to make rpm reliable and consistent is to strip out all > > things that are unnecessary. > > > > -sv > > I would imagine this opens RPM up to remote attacks too. I second the above. Running HTTP/FTP client as root is -not- a god idea. Even if HTTP is being pushed to an external plugin that's built around wget, this plug must be executed as user/guest and not as root. - Gilboa -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
