On Tue, Aug 23, 2011 at 5:20 PM, Walter Hurry
<walterhurry@lavabit.com> wrote:
On Tue, 23 Aug 2011 11:24:38 -0300, D G Teed wrote:
> A user would like the latest and greatest zsh and we have a deb package
> for it. For security purposes I want to keep the slightly older version
> of zsh obtained and maintained from debian packages as the system
> default zsh.
Your reasoning does not seem logical to me. If you need to stick to an
older version of a given package for "security purposes", then why allow
one user access to an allegedly insecure version?
On the other hand, if it is considered safe for that user to have access
to the latest version, then why not just make it standard for everyone?
The user has a shell account and access to a compiler. If they want
to, they can compile and create zsh or other software and run it
under their own home area. There is no policy blocking that.
I'm merely helping them out a little, and gaining a bit of
organization in contrast to letting users create their own solution.
If there was a security issue against zsh, chances are that script kiddies
would be looking at the one in the default location, not the hand compiled one.
There is also a small risk that the hand compiled one becomes unsupported
temporarily due to lib updates, so it can't hurt to carry the supported version
as a fall back.