On Mon, 2007-03-12 at 16:30 -0400, Bill Nottingham wrote: > Rex Dieter (rdieter@xxxxxxxxxxxx) said: > > How is that a race exactly? rm doesn't exit/return until it is done, afaik. > > Someone could pre-make the build root in between the rm and mkdir calls. Erm, ok. In the buildsystem, this should never happen (hooray mock), but when building on a multi-user system, I can see the remote possibility. However, we're talking about someone performing an operation in a very tiny gap. It's just as likely that they would manually replace files at any point in the process, or to argue that someone might rm -rf $RPM_BUILD_ROOT behind my back. Basically, what I'm saying is that this "race" is so unlikely, I don't think we need to bother to go out of our way to prevent it. It would be far easier for an attacker to leverage wildcarding in %files while a package is building, wait for it to perform make install, then slide in their malicious bits. ~spot -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
