Hans-Christoph Steiner wrote: > This could be approached another way. There could be scripts in the > packaging tools that mark a package if it does not run anything in any > of the scripts that does not come from the packaging tools. I think > many many packages would qualify here, most packages do not touch the > pre/post scripts, so the ones that are included are generated by > debhelper or whatever. > > Then you could see whether a package is requesting to run its own > scripts as root, and make the call there. A package that does not add > anything to those scripts would be pretty safe to install, at least.
There is a lot of code that is run by maintainer scripts that currently has no reason to worry about the security of its inputs, which are provided by files in the package. For this to work, it would all need to be made secure. Retroactively adding such a security requirment is a good way to end up playing security wack-a-mole for many years thereafter. -- see shy jo
signature.asc
Description: Digital signature
