[Sugar-devel] [sugar] [Proposal] .xot bundles, for translations
Martin Langhoff
martin.langhoff at gmail.com
Mon Dec 8 11:01:43 EST 2008
On Mon, Dec 8, 2008 at 1:50 PM, Sayamindu Dasgupta <sayamindu at gmail.com> wrote:
> Does that work ?
How do we trust that the setup.py is not malicious? Part of what I am
suggesting when I talk about rpm files that have no %post/%pre etc
(and therefore can be installed with --no-scripts) is that we can
reasonably trust that the contents are not maliciously active. (Note
that this needs a few additional checks to be effective.)
If we say that we'll auto-execute a setup.py we have
- less security
- no versioning
- no tracking of what file belongs to what pkg
In other words, I like your original plan :-) -- packaging has a lot
of good reasons. It also has its warts, but they are know and we can
work with them.
cheers,
m
--
martin.langhoff at gmail.com
martin at laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Sugar-devel
mailing list