On Fri, Jul 11, 2008 at 3:56 PM, Jonas Karlsson <[EMAIL PROTECTED]> wrote: > On Fri, 11 Jul 2008 20:27:15 +0200, Hisham <[EMAIL PROTECTED]> wrote: > >> On Fri, Jul 11, 2008 at 1:01 PM, Jonas Karlsson <[EMAIL PROTECTED]> wrote: >>> On Fri, 11 Jul 2008 16:37:51 +0200, Hisham <[EMAIL PROTECTED]> wrote: >>> >>>> On Fri, Jul 11, 2008 at 3:43 AM, Jonas Karlsson <[EMAIL PROTECTED]> wrote: >>>>> There has been a proof of concept where a group of people has injected >>>>> bad packages into a distribution by asking to be a mirror and providing >>>>> erroneous updates (1). >>>>> The issue is not that they provided spoofed, hacked or broken packages, >>>>> which would fail with bad signature (or the user had to add the key to >>>>> their keyring), but they used old packages which they updated version >>>>> information for. An example for GoboLinux would be to repack an old >>>>> version, Foo--1.2--i686.tar.bz2 as Foo--2.3--i686.tar.bz2 and our tools >>>>> would be fooled to thing that the latter was an update/later version >>>>> (you would also change the name of the version directory in the tarball). >>>>> This meant that users that used that "mirror" would get "updates" that >>>>> wasn't always up to date and even might have security issues. >>>>> We need to add version information to our packages, any idea on a good >>>>> scheme for that? >>>> >>>> Yes, we just need to add the full path to the FileHash file entries. >>>> If they are tampered with, FileHash.sig will alert. Fix committed to >>>> svn. >>> >>> I don't think we should use *full* paths, only <program name>/<version>. >>> People might not have $goboPrograms at /Programs. >> >> These people better not use the binary packages, for tricky troubles >> await them if they do. >> > That depends on how they are built. Lucas has made successful builds against > /System/Index, meaning that the binaries doesn't reference /Programs at all. > That also means that packages can be placed anywhere, as long as they have > symlinks in /S/I. One can, already today, install binary packages at any > prefix and just symlinking them, with none or very little breakage (depends > on application). I think we should cover these cases, especially as we will > have them in the future.
People who are willing to go through this "very little breakage" should know what they're doing, in which case they can bypass the check. I never wanted programs to be installed outside of /Programs (hell, that's why GoboLinux was created in the first place! to end the proliferation of locations where apps were installed!). If you want to encourage this behavior, go ahead and revert. -- Hisham _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
