I am late to the discussion, and a lot of them are related to the
security implications. I am more worried about users overriding
dependencies of other programs. Let me explain with a hypothetical case:
1- There is a system installed application that manipulates PDFs and has
a requirement to Ghostscript.
2- User is a JavaScript developer and install a tool named Google
Sanitizer (fake name, npm install gs) and ends with a command named gs
on the PATH overriding the system installed gs.
3- The PDF application start to fail with weird error messages, and new
bugzilla entries are added.
What are the policies of those other distributions when packaging
applications?, Do they force packagers to use absolute paths to their
dependencies? Fedora currently doesn't do that, and I like that
dependencies are called taking into account the PATH and not with
absolute paths, but until now all Fedora packagers assume that ~/.bin
and ~/.local/bin are not interfering by default with system installed
applications
On 06/07/2018 04:21 AM, Sorin Sbarnea wrote:
Well said, there is no catchy name for this (virtual) security threat. We will
have to let one of those that oppose this proposal to find a caching name
(PATHEXIT?), maybe even build a paper explaining how to mitigate it.
I am bit disappointed because other distributions fixed it, even twice after a
temporary regression due to a mistake. We never did it.
Now that we have a change proposal, how to continue? To get it accepted or
rejected, is there a way/process that we need to follow?
Should we maybe add a section to the document with supporters and opposers
where people can record themselves?
Thanks
Sorin
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/VXFYSGI372TMRE5YRATKR4SKV4LXOMDV/
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/VHN7IUOEIVKGZJZEOTPUOY6ACWMSEV4D/
