Re: Bug#79620: dpkg-source must handle file permissions
>>"Brian" == Brian May <bam@debian.org> writes:
Wichert> Unpacking should *never* rely on executing sh code that
Wichert> is part of the source package, that makes unpacking a
Wichert> possible security risk.
Brian> Unpacking is already a huge security risk. As a simplistic example,
Brian> unpacking the following package could have serious consequences
Brian> especially if done by root:
Well, installing a package you can't trust obviously has
security implications. However, I can take a .deb and unpack it in a
different dir, using tools I have trust in (ar, gzip, and tar); and
don't have to uses anything in the package to unpack the package and
further investigate. (using a program inside the package may have
different run time behaviou depending on who the unpacker is).
I think that is the point Wichert was making.
manoj
--
Prediction is very difficult, especially of the future. Niels Bohr
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: