On Wed, 19 Jan 2005 01:07:28 +0100 Alexander Mieland <[EMAIL PROTECTED]> wrote:
> And then he also can look into the *bin-directories for an > application he is searching for and then he can run `application > -(v|v|-version)` to get the version of this application. That won't give him packages revisions. And this is important when you are looking for a security hole, because hot security fixes often comes in revision bumps prior to versions bumps. While i agree that hiding emerge.log and keeping /var/db/pkg readable is pointless, i can also understand people who would like to hide both. It is a gift for malicious users to let them freely run glsa-check or similar tools. > But *if* there is one single important reason why it should be > only readen by root and the portage group, `uname` must also be > restricted in that way and /var/db/pkg too, and all other > hundred things too with which someone could find some secure > information like package-versions, or whatever. Bah... Security is, unfortunatly, not about being exhaustive in the precautions you take. It is more about making things difficult enough for the attacker. That's not because your system is not a perfectly black armoured box that the measures you've took are useless. -- TGL. -- gentoo-dev@gentoo.org mailing list
