Re: setuid/setgid binaries contained in the Debian repository.
On Sun, 3 Aug 2003, Manoj Srivastava wrote:
> Policy can make it so that packages are not accepted into
> Debian unless you hop through certain hoops. Like making sure the
> upload has a signature. Or that it has an entry in the override
> file. I can easily code an entry for katie and friends that takes a
> new package, and marks up the ones with setgid bits set -- and the
> ftp maintainers do not create override entries until they see a
> consensus develop, or the security team says ok.
No, this is not debian-policy. Having such a signature, or an override file
entry, has nothing to do with package's interaction with the rest of the
system.
These items are only for accepting a package upload into the debian archive.
You have said in various avenues that policy is only to be used for
documenting interactions between packages; yet, you then bring up this point,
and say it's a policy issue.
> For gods sake, come up with some more intelligent arguments
> for your point of view.
Don't change the facts to fit your personal view of the debian universe.
Reply to: