Issue #21760 has been updated by Matthaus Owens. Status changed from Unreviewed to In Topic Branch Pending Review Target version changed from 1.6.x to 1.7.x
Pull request to remove the script in https://github.com/puppetlabs/facter/pull/490 This script has been replaced by shared rake based tasks. They also use packagemaker (we have an open ticket to switch to a more modern system), but they dynamically generate their preflight to avoid the dangerous rms you mention. As I mention in the commit message, using `rake package:bootstrap` followed by `rake package:apple` will use our rake based packaging tasks, which are similar to the createpackage.sh script. ---------------------------------------- Bug #21760: facter 1.6.18 tarball has a very dangerous preflight script https://projects.puppetlabs.com/issues/21760#change-94744 * Author: Clay Caviness * Status: In Topic Branch Pending Review * Priority: Urgent * Assignee: * Category: installation * Target version: 1.7.x * Keywords: * Branch: * Affected Facter version: 1.6.18 ---------------------------------------- (I emailed this to puppet-users as well) The facter 1.6.18 tarball has many issues. First, the ext/osx/createpackage.sh script still uses packagemaker, which is deprecated. And even if it used that, there are a few references to files in the now-deleted conf/osx/ directory. So it's pretty difficult to create a Mac pkg from this, but after some tweaking of the createpackage.sh script, I managed to do it! I ran the package it created, and noticed the preflight script was taking a looooong time to run. I looked at it, and ... Well, here is the last two lines of the preflight as shipped in the tarball: <pre> $ tail -2 ext/osx/preflight # remove old doc files /bin/rm -Rf "${3}/" </pre> Pop quiz for everyone: what could go wrong here? I'll give a hint, when installing a Mac package, $3 is set to the path of the target install volume. Looking at the source in git, I'm not sure how this preflight got into this state; all the packaging stuff is currently a mess (both facter and puppet are still using the long-deprecated packagemaker tool, among other issues). Anyway, thankfully I caught this before it killed my local home, but I did have to re-image. NB: I'm not using facter 1.7.x because of various issues with the new cfpropertilist modules handling of plists. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
