Product: Fedora https://bugzilla.redhat.com/show_bug.cgi?id=908116 Michael Scherer <misc@xxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo? --- Comment #6 from Michael Scherer <misc@xxxxxxxx> --- I do not get it, if the file is marked as %config file, that mean I should be able to touch it and not have it broken on a security upgrade. If I shouldn't touch it, then just do not mark it as %config. Either this is a file for upstream, or a file for the admin. Having it both way is looking for problem. Permission as 640 and 750 are wrong. That produces useless rpmlint warnings and protect nothing. And the point on having %{consoledir}/config/environments/production.rb writable by apache ( among others ) and the security issue it poses are still valid. The init script does thing rather strange such as running bundle --install : rm -rf Gemfile.lock scl enable ruby193 "bundle install --local" > /dev/null chown apache:apache Gemfile.lock popd > /dev/null Which basically mean that after restarting the service, it will download stuff from the web, and install code who is outside of the package manager, that do not seems like a good idea security wise :/ And i am not sure again that we need a /etc/sysconfig/ file especially if there is no added value ( ie, there is nothing a admin should really modify there. There is also a spurious requires on v8-devel, and there is no reason for that IMHO. Maybe that's needed due to the bundle install in the initscript, but then, that's really more problematic. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=WGjaWttTls&a=cc_unsubscribe _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review