tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: www/serf install permissions fix

"J. Lewis Muir" <> writes:

> On 04/05, J. Lewis Muir wrote:
>> 1. It checks for group- or world-writable files.  If it should only
>>    check for world-writable files, obviously it's trivial to change it
>>    to do that.
> I've decided that checking for group-writable files is too strict.
> I just tried to build devel/protobuf and came across two packages
> that have distfiles with group-writable files: www/libuv and
> devel/googletest.  If that's at all indicative of what's out there, I
> suspect a full bulk build would have a terrible time.  So, I've updated
> the patch to only check for world-writable files.  The updated patch is
> below.

Without thinking too much (and I haven't had time to really read yet):

  bulk builds don't set PKG_DEVELOPER, or at least they didn't use to.
  It would slow them down and things would break.  People generally set
  that when testing updates before committing.

  I wonder what would happen if you start filing bug reports.  If most
  of them fix their distfiles, that's useful.  But if nobody cares, it
  seems a bit like tilting at windmills.

  If there's a security issue, it seems group writable and world
  writable are not so different (unless you make assumptions about
  groups which seem unwarranted).

  If there are a lot of these, one approach is for you to keep the
  writable PKG_DEVELOPER check just in your tree and we can add the
  post-extract chmod line for them.  But if there are hundreds, that
  seems messy.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index