On Sat, 2002-10-12 at 01:27, Claes Wallin wrote: > Of course we need to take security seriously, but I'm not convinced > that demanding unnecessary privileges or faking them does that. These > files don't need to be owned by root or seem to be owned by root during > the packaging process - we should be able to just tell tar to override > the fs metadata. I realize that the current system works, but I reserve > the right to call it a silly hack.
Yep, and requiring root ownership during package creation adds *nothing* to security, because anyone with 30 mins to spare can create a tar that allows arbitrary user ownership during creation. Rob
