linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Larry McVoy <lm@bitmover.com>
To: Pavel Machek <pavel@suse.cz>
Cc: Dave Jones <davej@suse.de>, kernel list <linux-kernel@vger.kernel.org>
Subject: Re: Bitkeeper licence issues
Date: Tue, 19 Mar 2002 15:25:02 -0800	[thread overview]
Message-ID: <20020319152502.J14877@work.bitmover.com> (raw)
In-Reply-To: <20020318212617.GA498@elf.ucw.cz> <20020318144255.Y10086@work.bitmover.com> <20020318231427.GF1740@atrey.karlin.mff.cuni.cz> <20020319002241.K17410@suse.de> <20020319220631.GA1758@elf.ucw.cz>

On Tue, Mar 19, 2002 at 11:06:32PM +0100, Pavel Machek wrote:
> >  > > Pavel, the problem here is your fundamental distrust.  
> >  > By giving me binary-only installer you ask me to trust you. You ask me
> >  > to trust you without good reason [it only generates .tar.gz and
> >  > shellscript, why should it be binary? Was not shar designed to handle
> >  > that?], and that's pretty suspect.
> > 
> >  Bitmover doing anything remotely suspect in an executable installer
> >  would be commercial suicide, do you distrust realplayer too?
> 
> Actually, the installer contains security hole allowing any user to
> overwrite any file on system if you install it as root with simple
> symlink. 

Come on Pavel, in order to make this happen, you have to

	a) run the installer as root
	b) know the next pid which will be allocated
	c) put the symlink in /tmp/installer$pid

and do all before that pid gets used.  Have you actually be able to
do that?  I'd like to see how you did so without knowing exactly when
root was going to install the package and without filling up /tmp with
64,000 symlinks.

I'll grant you this is something we can trivially make go away as an 
issue, and we have, but it's mostly to make you go away as an issue,
not because we believe for one second this is a realistic problem.
-- 
---
Larry McVoy            	 lm at bitmover.com           http://www.bitmover.com/lm 

  reply	other threads:[~2002-03-19 23:25 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-03-18 21:26 Bitkeeper licence issues Pavel Machek
2002-03-18 22:42 ` Larry McVoy
2002-03-18 23:14   ` Pavel Machek
2002-03-18 23:22     ` Dave Jones
2002-03-18 23:43       ` Pavel Machek
2002-03-19  8:35         ` Rik van Riel
2002-03-19  2:02       ` Larry McVoy
2002-03-19  8:21         ` Gerd Knorr
2002-03-19 15:11           ` Larry McVoy
2002-03-19 21:58         ` Pavel Machek
2002-03-19 22:04           ` Larry McVoy
     [not found]         ` <20020319215800.GN12260@atrey.karlin.m__.cuni.cz>
2002-03-20 22:42           ` Ton Hospel
2002-03-19 22:06       ` Pavel Machek
2002-03-19 23:25         ` Larry McVoy [this message]
2002-03-19 23:27           ` David S. Miller
2002-03-19 23:44             ` Larry McVoy
2002-03-19 23:45               ` David S. Miller
2002-03-19 23:54                 ` Matthew Kirkwood
2002-03-19 23:56               ` Ben Collins
2002-03-20 17:23               ` Martin Dalecki
2002-03-20 17:51                 ` Alan Cox
2002-03-20 18:04                   ` Martin Dalecki
2002-03-20 20:34                     ` Neil Booth
2002-03-19 23:34           ` Tom Rini
2002-03-20  0:09             ` Alan Cox
2002-03-24 11:44             ` Thunder from the hill
2002-03-20  7:57           ` Alexander Viro
2002-03-19  0:00     ` yodaiken
2002-03-19  1:29       ` David S. Miller
2002-03-19  1:18   ` Roman Zippel
2002-03-19  1:37     ` David S. Miller
2002-03-19 18:42       ` Roman Zippel
2002-03-19 19:09         ` Alan Cox
2002-03-19 20:01           ` Shane Nay
2002-03-19 23:08           ` Rik van Riel
2002-03-19 23:19             ` Robert Love
2002-03-19 23:26               ` Rik van Riel
2002-03-19 23:42                 ` Davide Libenzi
2002-03-19 23:31             ` yodaiken
2002-03-19 23:47               ` Larry McVoy
2002-03-20  0:02                 ` Thomas Dodd
2002-03-20  0:19                 ` Theodore Tso
2002-03-20  0:57                   ` Petko Manolov
2002-03-21 19:44                 ` Mark H. Wood
2002-03-21 20:29                   ` Shane Nay
2002-03-27 14:40                 ` Henning P. Schmiedehausen
2002-03-20  0:05               ` James Simmons
2002-03-19 20:35                 ` Andreas Dilger
2002-03-20  0:14                 ` Kurt Ferreira
2002-03-20  2:16                   ` Greg Hennessy
2002-03-20  0:57             ` Richard Gooch
2002-03-21 19:14           ` Roman Zippel
2002-03-21 20:54             ` Alan Cox
2002-03-22  0:02               ` Roman Zippel
2002-03-19  1:44     ` Anton Altaparmakov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020319152502.J14877@work.bitmover.com \
    --to=lm@bitmover.com \
    --cc=davej@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).