On Fri, Jul 10, 2009 at 11:11 AM, Allan McRae<[email protected]> wrote: > Loui Chang wrote: >> >> On Fri 10 Jul 2009 17:25 +0200, Thomas Bächler wrote: >> >>> >>> The original complaint was that when using makepkg -sic, the sudo >>> password is cached after dependency installation and malicious sudo >>> commands might be executed during build() as the password is cached. >>> >>> My opinion on this is that we should not encourage people to use >>> sudo, Aaron suggested to move it here for further discussion. What do >>> you think? >>> >> >> Actually I think syncdeps and install should be removed from makepkg, >> just as builddeps was. Then sudo can be completely removed from makepkg. >> People may complain though. >> > > And I would be one of them as removing syncdeps would make building in a > clean chroot an absolute pain in the arse. > > Anyway, as far as removing sudo usage goes... I haven't thought much about > this, but my initial opinion is that people who are concerned about sudo can > set it up they way they like. e.g. no password caching and use of root > password, which would make sudo essentially an alias for "su -c". > > So I really think this is a non issue. If someone does not like sudo, do > not install it and use "pacman -S --asdep" yourself to install the needed > deps. Makepkg gives you the option, but no-one is forcing you to use it. > > I would consider a patch that allows the user to configure whether they use > "sudo" or "su -c".
I don't use the option much myself, but yeah, I think removing it would be a bit rough for some. I would also take a patch for the manpage offering some more stern words about what using these options can mean. Keep in mind we've done a few things with sudo and makepkg in the past (in reverse chrono order): http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=f827c9572e9c8a21d57e58bd61038226e9e0c05e http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=fb10e0c797b649dc036bc0432dc77cffaabbc56d http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=b6d991cf7b3f3227d06bdf13e1d515b1cf7c90f4 http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=f6d97da70dfde16f2e4d5e582c7b3a5116a47860 -Dan _______________________________________________ pacman-dev mailing list [email protected] http://www.archlinux.org/mailman/listinfo/pacman-dev
