View previous topic :: View next topic |
Author |
Message |
Kasumi_Ninja Veteran
Joined: 18 Feb 2006 Posts: 1825 Location: The Netherlands
|
Posted: Thu Nov 08, 2007 7:08 pm Post subject: |
|
|
GNUtoo wrote: | that is true even if it's a company that freed the code...
for instance they found a back door in a interbase that was liberated and they have seen it and fixed it...(http://www.youtube.com/watch?v=KGlNTEQ0RzM)
(if you want to download the video just ask me) |
I would like to download the video ^_^
Quote: | there is also the fact that they mostly communicate via e-mail or irc...and some users follow theses mailing list...so if they want to make a conspiracy...they must find another way to comunicate and they must include evry contributor...
and most of the patches are checked before(when you don't have comit acess) or after inclusion in a project
so the only way to include malware is to "hack" the cvs/svn/whatever or relase system...
this has been done more than once but it has always been rapidely detected:
http://linux.slashdot.org/article.pl?sid=03/11/06/058249
http://linux.slashdot.org/article.pl?sid=03/11/21/1314238 |
Thanks for the links!
Quote: | and most important...be carefull on software that aren't free and don't install them...
the problem here is the proprietary dependencies...
you have several solutions:
*use paludis(selinux support???)
*use pkgcore(no selinux support!!!)
*wait for portage 2.2
*help me/wait for me to finish my perl script that mask non-free packages and dependencies
|
I am sorry I can't code (yet)
Quote: |
even the ones with the sources...as there are no external contributor...they aren't checked |
What fo you mean exactly? And what do you think of my analysis of openSUSE's security?
Aniruddha wrote: |
And these problems compound (in openSUSE's case):
-When you rely heavily on third-party repositories
-These third-party repositories don't have security measures
-You have a build service that anyone can access and has no security policy whatsoever.
-There isn't a testing tree, meaning that all new rpm's are immediately available for everyone. |
_________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered |
|
Back to top |
|
|
arach Tux's lil' helper
Joined: 22 Jan 2005 Posts: 92 Location: Between the Moon and a star
|
Posted: Thu Nov 08, 2007 7:21 pm Post subject: |
|
|
Portage has two huge security holes that paludis doesn't: priv escalation via portage cache files and insecure uninstallation of set*id files which leaves systems vulnerable to rooting even after insecure packages have been upgraded. _________________ ble! |
|
Back to top |
|
|
GNUtoo Veteran
Joined: 05 May 2005 Posts: 1919
|
Posted: Thu Nov 08, 2007 8:30 pm Post subject: |
|
|
Aniruddha wrote: |
I would like to download the video ^_^
|
use one of the following website:
http://keepvid.com/
http://www.mediapirate.org/
or there is that:
Code: | net-misc/youtube-dl [ Masked ]
Latest version available: 2007.10.12
Latest version installed: [ Not Installed ]
Size of files: 14 kB
Homepage: http://www.arrakis.es/~rggi3/youtube-dl/
Description: A small command-line program to download videos from YouTube.
License: MIT |
Quote: |
What fo you mean exactly?
|
i mean that things that have the source like microsoft shared source initiative is even a security risk becase:
->it may not be documented
->nobody get interested in something you can't modify
in linux you have sevral project that have the sources but they are not free and may not be checked...
such as:
->opera
->mabe blackdown(i don't remember well the license)
Aniruddha wrote: |
And these problems compound (in openSUSE's case):
-When you rely heavily on third-party repositories
|
=>this is very problematic
are theses binairies or binairies+sources like in debian/ubuntu?
do you know checkinstall? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54449 Location: 56N 3W
|
Posted: Thu Nov 08, 2007 10:45 pm Post subject: |
|
|
GNUtoo,
Quote: | *help me/wait for me to finish my perl script that mask non-free packages and dependencies |
I think portage understands LICENCE="..." in make.conf, just like USE, so you may not need your script. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Kasumi_Ninja Veteran
Joined: 18 Feb 2006 Posts: 1825 Location: The Netherlands
|
Posted: Thu Nov 08, 2007 10:46 pm Post subject: |
|
|
GNUtoo wrote: | are theses binairies or binairies+sources like in debian/ubuntu?
do you know checkinstall? |
Sometimes source rpm's are provided although it is not mandatory. You can find more info here:
http://software.opensuse.org/search
http://download.opensuse.org/repositories/
http://packman.links2linux.org/packages
I found the security risk so severe (particularly the openSUSE build service) that I stopped recommending openSUSE to beginners. I know checkinstall but that is a potentially disastrous tool since it overwrites anything without checking. _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered |
|
Back to top |
|
|
spb Retired Dev
Joined: 02 Jan 2004 Posts: 2135 Location: Cambridge, UK
|
Posted: Thu Nov 08, 2007 10:49 pm Post subject: |
|
|
NeddySeagoon wrote: | I think portage understands LICENCE="..." in make.conf, just like USE, so you may not need your script. |
https://bugs.gentoo.org/show_bug.cgi?id=17367
Still open, so I'd guess not... I do know paludis has supported such license filtering pretty much from the beginning though. |
|
Back to top |
|
|
|