[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#144571: dpkg-source invokes tar without --no-same-owner

On Fri, Apr 26, 2002 at 09:56:45AM +0100, Jules Bean wrote:
> It's a bit weird, I concede, but surely dpkg-source is not the kind of
> command you should be running as root anyhow?  Running arbitrary
> commands as root often leads to security problems...

dpkg-source is not an arbitrary command, it has a well defined action, and
is useful.  With the same logic you could say that tar is not a command you
should be running as root.  I mean, I agree that you shouldn't run a whole
xsession as root, including KDE and Mozilla :)  but for a low level tool as
dpkg-source it should simply work.

We should not let security come in the way of usability.  Where it is, the
programs need to be made more secure, not crippled to become unusable in
certain situations (like perldoc, which simply refuses to start).
Especially if it is easy to fix.


`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org

To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: