tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Improving security for pkgsrc

Pierre Pronchery <> writes:

> On 07/30/15 10:26, Thomas Klausner wrote:

>> The whole patch looks like it will only work when you do 'make
>> install', but not with pkg_add. You will need INSTALL script fragments
>> for that.
> I have tried both "make install" and "make package", and it worked in
> both cases. Please correct me if I am wrong, but it seems that even if
> destdir is not supported, the framework always installs files from the
> staging area in ${WRKSRC}/${DESTDIR}. The executables are marked by
> paxctl(8) permanently there. This is unlike chmod(1) for instance, which
> does not modify the original file.

In general, is the notion that paxctl changes the actual binary, and
there is no state anywhere else?

Did you build a binary package, copy it to a different machine, and run
it there?  I think that should work, but it's an obvious test to do.

If destdir is not supported (which is getting to be a more and more
unusual case), then the files are installed from WRKDIR into PREFIX.

Home | Main Index | Thread Index | Old Index