Re: Conditional Recommends
"Eugene V. Lyubimkin" <jackyf@debian.org> writes:
>> > > and secondly, this is easily abusable by third-package maintainers
>> > > and even packages from completely different, non-Debian
>> > > repositories:
>> > >
>> > > Package: some-package
>> > > Depends: gnome
>> > > Recommended-When: gnome
>>
>> Third-party repositories have root access on your system, see Google's
>> (past?) packages for things that could be done. Chrome does not abuse
>> it but only fiddles in your sources.list and crontab because they want
>> to ensure that you don't browse the internet with a browser full of
>> security holes (whether this is a good way to do this does not seem to
>> belong to this thread).
>
> No, third-party repositories do not have any access on my system,
> packages from third-party repositories do _if_ I have installed them,
> and usually, I think, it's a regular user access, not root one, given I
> pre-checked package maintainer scripts before the installation.
And when third-party adds a bash 4.2-1 to their repository your next
apt-get update/upgrade will happily install it and you won't
notice. Unless you have gone through the trouble of pinning everything
manually.
I would say the number of users that read maintainer scripts prior to
installation of every package from a thrid-party repository approaches 0
closely followed by extensive pinning.
> 'Recommended-When' gives them (= packages from any repositories) an
> ability to be installed by default accompanying any package they want. A
> major difference as for me.
As exploits go that is just one more and one that is quite
noticeable. Your package manager will tell you about NEW packages being
installed and then you can say: WTF is that? Taking over an existing
package is much harder to spot and would be the prefered attack.
Note: apt could also easily not install Recommended-When by
default and have an option to enable it. Just like Recommends and
Suggests are configurable.
MfG
Goswin
Reply to: