On Sat, 28 Apr 2012 21:49:34 +0200, Piotr Jawidzyk wrote:
> http://talk.maemo.org/showthread.php?t=83948
>
> This is another topic that covers - more specifically - recently
> discovered (by mistake) security hole.
Not exactly a security hole, because there is no security at all on
extras-devel.
Out of curiosity: why are you thinking that this is critical for the CSSU?
Are you building packages there or similar?
One can add small trivial checks (like the one that is not in place for -
devel but it is in place -testing for conflicting packages). Yet this
would block accidental mistakes, but not block anyone trying to do
something with malicious purposes, which is outright impossible. Think
about the bazillion degrees of freedom a packager has. Provides, etc.
In OBS, you can manually (for a given project) select which other
projects you want to fetch build-dependencies from.
> http://talk.maemo.org/showthread.php?t=83948
>
> This is another topic that covers - more specifically - recently
> discovered (by mistake) security hole.
Not exactly a security hole, because there is no security at all on
extras-devel.
Out of curiosity: why are you thinking that this is critical for the CSSU?
Are you building packages there or similar?
One can add small trivial checks (like the one that is not in place for -
devel but it is in place -testing for conflicting packages). Yet this
would block accidental mistakes, but not block anyone trying to do
something with malicious purposes, which is outright impossible. Think
about the bazillion degrees of freedom a packager has. Provides, etc.
In OBS, you can manually (for a given project) select which other
projects you want to fetch build-dependencies from.
Javier.