Vadim Zhukov <persg...@gmail.com> wrote: > But anyway, root-only requirement for listing available syspatches > seems a bit silly.
as Antoine has replied, this is so the file retrieval occurs as a privsep user, so that a bug in that tooling is very much more difficult to exploit. Undoing that privsep feels unhealthy. The simplest form of check doesn't even need this much work: If a newer SHA256.sig file has been published, maybe there's something new.
