Evening, On Mon, 30 Jul 2007, Panu Matilainen wrote: >>>> the best way to make rpm reliable and consistent is to strip out all >>>> things that are unnecessary. hm. Looking forward to pyrpm and pyyum or however it is called, is it necessary to keep rpm and yum at all? Neither pyrpm nor the pyyum depend on rpmlib somehow. Isn't it overkill to have two implementations of the same? Guessing a python rpm (written only in that script language) would make many Red Hat people happy, because python is the Red Hat in-house defacto standard, isn't it? >>> I would imagine this opens RPM up to remote attacks too. >> >> I second the above. >> Running HTTP/FTP client as root is -not- a god idea. > > Yet that's how all our depsolvers and the associated tools work... Well. Seen from this point, we should download *all* files in yum and (...) with an unprivileged account, check somehow and afterwards install as root. Eggdrop for example avoids to be executed as root, but when you're hacking this into wget...it's better not to complete this sentence. Finally, having Neon support in RPM is IMHO just the same high or less risk as having Neon support in Subversion. Why to castrate RPM at all? It looks like just to get other non-named tools more deeply involved. And if this is reason, there's from my POV no need to keep RPM in the current form. And a stupid python hack could replace everything and should be written fast; can somebody agree with me or am I already stamped as mailing list clown? Greetings, Robert -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list