-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
John Davidorff Pell wrote:
<snip>
> On the topic of security, would you like to find out one day that you
> have several SUID binaries on your system that you did not know about? I
> recently searched for them and found that fink had installed one from
> KDE as well as others. It is not mentioned ANYWHERE in the .info file or
> in any documentation from fink. I think that it should be policy to have
> a note in the description that mentions any SUID binaries.
>
I guess you come from a more "unixy" background? When we look at our typical user base we will find _a lot_ of pure Macintosh users that are slowly drifting into the world of Unix and all that it entails. Now if I simply mention in an info file that a "SUID" file will be installed I can start adding 20 paragraphs to a FAQ explaining to them, what a SUID file is. Why it needs to be set that way at times, what security issues it entails and so on.
I will not say, that it is not smart or even correct to educate users and explain to them that security is an important issue, yet I doubt, that it is feasable in our specific situation. I would guess, that over 90% of our users still use their Mac as a single User machine. The packages that do install SUID binaries are probably maintained by people who know a lot about the things they package up and thus they can be trusted by the things they do. Now for the likelyhood of exploitation I would think that we are far beyong a reasonable risk assessment with our specific user base and use case environment.
Thus _I_ believe that it is not really something we currently need. Yet, of course, it would and will be smart to keep an I on this and develop proper procedures.
- -d
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/258MPMoaMn4kKR4RA3hhAKCh1yLKZ0KoapUsBPVaNor9oWRtCQCcDywI sHLL/m0epeWPmC5EA+goFdA= =ZMW1 -----END PGP SIGNATURE-----
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Fink-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/fink-devel
