[Sugar-devel] Activity packaging

Bernie Innocenti bernie at codewiz.org
Tue Jul 6 16:42:21 EDT 2010

Previous message: [Sugar-devel] Activity packaging
Next message: [Sugar-devel] Activity packaging
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2010-07-06 at 12:02 -0400, Benjamin M. Schwartz wrote:

> I think you are missing an important requirement: installation without
> elevated permissions.

XO and SoaS distributions are configured for sudo with no password.
Rainbow has been bit-rotting for the past 2 years and nobody volunteered
to work on it. The bottom line is that *nowadays*, any activity can
escalate root privileges.

Before someone screams in horror, consider this: the only valuable data
on the laptop belongs to user "olpc". A non-privileged account can
already effectively do anything that a spammer would like to do.

Even in a Rainbow-enabled environment, privileged vs unprivileged
installation isn't by itself the source of security issues. Packages
could easily be checked to ensure that all bundled files are within a
specific path, like we currently do with the zip files. Post-install
scriptlets can be disabled.

Even with these limitations, a native packaging system is still years
ahead of us in terms of robustness and feature-completeness.

> P.S. This cross-posting is getting ridiculous.

Mikus keeps moving this thread to other lists because he won't subscribe
to sugar-devel. (why?? ask him).

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/

Previous message: [Sugar-devel] Activity packaging
Next message: [Sugar-devel] Activity packaging
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Sugar-devel mailing list