[Sugar-devel] Activity packaging
bernie at codewiz.org
Tue Jul 6 16:42:21 EDT 2010
On Tue, 2010-07-06 at 12:02 -0400, Benjamin M. Schwartz wrote:
> I think you are missing an important requirement: installation without
> elevated permissions.
XO and SoaS distributions are configured for sudo with no password.
Rainbow has been bit-rotting for the past 2 years and nobody volunteered
to work on it. The bottom line is that *nowadays*, any activity can
escalate root privileges.
Before someone screams in horror, consider this: the only valuable data
on the laptop belongs to user "olpc". A non-privileged account can
already effectively do anything that a spammer would like to do.
Even in a Rainbow-enabled environment, privileged vs unprivileged
installation isn't by itself the source of security issues. Packages
could easily be checked to ensure that all bundled files are within a
specific path, like we currently do with the zip files. Post-install
scriptlets can be disabled.
Even with these limitations, a native packaging system is still years
ahead of us in terms of robustness and feature-completeness.
> P.S. This cross-posting is getting ridiculous.
Mikus keeps moving this thread to other lists because he won't subscribe
to sugar-devel. (why?? ask him).
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
More information about the Sugar-devel