From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id NAA27522; Tue, 15 Oct 2002 13:49:51 +0200 (MET DST) X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id NAA27745 for ; Tue, 15 Oct 2002 13:49:50 +0200 (MET DST) Received: from mel-rto3.wanadoo.fr (smtp-out-3.wanadoo.fr [193.252.19.233]) by concorde.inria.fr (8.11.1/8.11.1) with ESMTP id g9FBnn501641; Tue, 15 Oct 2002 13:49:49 +0200 (MET DST) Received: from mel-rta8.wanadoo.fr (193.252.19.79) by mel-rto3.wanadoo.fr (6.5.007) id 3DA24D18004AF646; Tue, 15 Oct 2002 13:49:37 +0200 Received: from iliana (80.14.69.186) by mel-rta8.wanadoo.fr (6.5.007) id 3DA24B4A00478224; Tue, 15 Oct 2002 13:49:37 +0200 Received: from luther by iliana with local (Exim 3.36 #1 (Debian)) id 181QMG-0001XL-00; Tue, 15 Oct 2002 13:59:32 +0200 Date: Tue, 15 Oct 2002 13:59:32 +0200 To: Tim Freeman Cc: luther@dpt-info.u-strasbg.fr, pierre.weis@inria.fr, caml-list@inria.fr Subject: Re: Sign the packages (was Re: [Caml-list] CDK with Ocaml 3.06 (fwd)) Message-ID: <20021015115932.GA5883@iliana> References: <20021014181602.GA2620@iliana> <200210142038.WAA05623@pauillac.inria.fr> <20021014210719.GA3682@iliana> <20021015114400.8DB4680DE@lobus.fungible.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021015114400.8DB4680DE@lobus.fungible.com> User-Agent: Mutt/1.4i From: Sven Luther Sender: owner-caml-list@pauillac.inria.fr Precedence: bulk On Tue, Oct 15, 2002 at 04:21:03AM -0700, Tim Freeman wrote: > >...anonymously upload packages... > >Maybe you could go without signatures even, since after all, there > >is nothing critical and absolutely needing root access in the ocaml > >packages. > > This is quite dangerous. Anyone can then anonymously upload a new > version of any package that starts by doing "rm -rf ~". Well, sure. So you have 2 choices : o require signed uploads from people you trust (and can visit consequence upon if they misbehave) o doing it so it will not be installed as root. Mmm, i did not see that it would erase the home directory. Well, this is only possible if the packages include scripts to be run before or after the install. This is what debian uses right now, but then we use solution 1 above. Friendly, Sven Luther ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners