On Mo März 12 2007, Tom 'spot' Callaway wrote: > However, we're talking about someone performing an operation in a very > tiny gap. It's just as likely that they would manually replace files at This can be easily automated, > any point in the process, or to argue that someone might rm -rf > $RPM_BUILD_ROOT behind my back. while this normally is not possible with correct/normal file permissions. > Basically, what I'm saying is that this "race" is so unlikely, I don't > think we need to bother to go out of our way to prevent it. The fix is very easy, just add one line with mkdir. > It would be far easier for an attacker to leverage wildcarding in %files > while a package is building, wait for it to perform make install, then > slide in their malicious bits. This is also not possible with normal file permissions, Regards, Till
Attachment:
pgpET44849hW1.pgp
Description: PGP signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
