Re: Building packages with exact binary matches
On Fri, Sep 28, 2007 at 09:18:12PM -0500, Manoj Srivastava wrote:
> On Fri, 28 Sep 2007 23:04:00 +0200, Martin Uecker <firstname.lastname@example.org> said:
> > There is some other thing I do not like about the way Debian packages
> > work. Every package I install can actually completely compromise my
> > system, because the maintainer scripts are run as root.
> You can, of course, run a strict mode SELinux system, and see
> that the apt_t security domain is sufficiently confined for your
> tastes (you may have a local security policy that tightens down the
> default project wide constraints, to the level you heart desires).
That would be an option. But it is exactly like the problem with
windows applications: Since the applications are used to having
the privileges, it is much harder to lock them down.