On 06/07/2011 02:50 PM, Yury V. Zaytsev wrote: > Hi! > > On Tue, 2011-06-07 at 12:35 -0700, Todd And Margo Chester wrote: > >> I am still stuck on if it is a security hazard in el6, why is it not also a >> security hazard in el5? I presume that the dependencies in the RPM >> would take care of anything that is different. > This is, in fact, a very wrong assumption. RPM will not take care of it. > > RPM always assumes that the packages are coming from an appropriate > channel and only tries to detect situations when there is a danger of > inducing direct damage to the RPM database (unsatisfiable dependencies, > wrong checksum / file corrupted, wrong signature etc.) > > If you keep mixing things, you are totally on your own. In the very best > case it will detect some obvious linking problems, but not more than > that. Possible pitfalls: > > 1) Library SONAME didn't change (i.e. functions get added), and the > program uses new ABI, you install the RPM on the old system > > 2) Interpreter version is not recorded in RPM, software incompatible > with newer/older Python > > 3) Few hundred others... > >> The code itself is still the code itself -- the code has not changed. >> If it is safe in one, it should be safe in the other. I am clearly >> not getting your point. > You know, you should really get some basics right first. Sorry for that. > Hi Yury,
Thank you for the education. Follow up question: if I were to skip the RPM process and just compile the app from the/a tar ball, would that remove your security concerns? Many thanks, -T _______________________________________________ users mailing list [email protected] http://lists.repoforge.org/mailman/listinfo/users
