Subject: pkg_comp runs everything as root
To: None <pkgsrc-users@netbsd.org>
From: Christian Hattemer <c.hattemer@arcor.de>
List: pkgsrc-users
Date: 04/23/2006 23:27:03
Hi,

dunno if tech-pkg would be more appropriate, but for starters here it is.

I've finally looked into pkg_comp and it looks indeed nice for experimenting
with pkgsrc or building binary pkgs.

However I feel a bit uncomfortable about running everything as root. I
remember distfiles that got a malicious configure inserted. There's still
the distfile checksum, but the modification might get overlooked by the
developer doing the update. However an even more effective place for such
tampering should be an install script which runs as root anyway. Then the
unprivileged build wouldn't help.

Well, it's inside a chroot, so there shouldn't be much permanent damage, but
backdoor daemons could still run until a reboot.

In summary: Are there real concerns in this area, or am I just paranoid?

Bye, Chris