5 Nov
2009
5 Nov
'09
4:41 p.m.
On Thu, Nov 5, 2009 at 10:38 AM, Daenyth Blank <daenyth+arch@gmail.com> wrote:
On Thu, Nov 5, 2009 at 12:05, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
The eval seems slightly dangerous to me... does anyone else have this concern, or am I being too careful?
eval is always dangerous. In this case, however, it's eval-ing from a text file only writable by root. If an attacker has root write permissions, you have more to worry about than this.
That's a fair enough point. I was wondering, though, if it might be more prudent to sed out the value and actually set it with no eval at all. Does anyone actually use inline execution in their makepkg.conf?