On Thu, 2008-06-12 at 16:32 +0200, Stanislav Brabec wrote: > If rpmbuild itself > will do rmdir()+mkdir() safely (correct privileges, force fail if > directory exists and it is not possible to remove it), then the worst > problem with the static BuildRoot is a DoS.
I generally agree with this statement. I'm not sure I would downplay the DoS as you do, but it is definitely less severe. We dodge this issue in Fedora by building all our packages in contained mock environments on secured builders, but it is something that should be addressed as we're tackling BuildRoot issues. ~spot _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org https://lists.rpm.org/mailman/listinfo/rpm-maint