Hi, all Please see the updated one-pager for findutils attached.
I am resetting the timeout to be Sept 2nd. --Irene Luis de Bethencourt wrote: > Stephen Hahn wrote: >> * Darren J Moffat <Darren.Moffat at Sun.COM> [2008-08-20 14:13]: >> >>> Luis de Bethencourt wrote: >>> >>>> locate is a clear security risk. For familiarity locate command >>>> should be an alias to slocate executable. >>>> >>> My understanding was that locate was perfectly secure providing it >>> was not installed setuid/setgid and that the datebase it looks at >>> was not generated by other user. >>> >>> The slocate case didn't provide an updatedb.conf file because this >>> case was likely to deliver one. >>> >>> glocate would be wrong according to the rules because there is no >>> clashing /usr/bin/locate at this time. >>> >> >> (I was expecting that /usr/bin/locate would be a symbolic link to >> slocate.) >> > It is going to be like that. :) >> >>> What do most Linux distributions that ship GNU findutils and slocate >>> do? >>> >> >> I'd like an answer to this question as well. For instance, if locate >> is to be dropped from findutils, will findutils have a package >> dependency on slocate so that the installation of findutils always >> provides a locate implementation? >> > That's a very good idea. I will add the dependency in the spec. > > Luis >> (As a comparison, the only component dropped from coreutils was >> su(1M). We even shipped shred, even though ZFS invalidates shred's >> assumptions about storage...) >> >> - Stephen >> >> > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: onepager-findutils.txt URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080829/ad67d8c8/attachment.txt>
