Colin, you're right -- and I thought about that before hitting 'Post Comment' -- but the world was different then, we still used telnet, rsh, and ftp.
Installing a package in those days made an explicit decision to trust that package with root shell privileges and allowed it to install setuid or setgid executables into the filesystem. There would have been no need to protect against slightly crafty .deb packages because the payload itself was already all-powerful. We're changing this world to one where the package might resort to crafty packaging to work around restrictions, and we're asking an old and reliable codebase to do something new. It comes with risks. -- end-of-tangent :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
