[arch-general] makepkg security

Alessandro Doro ordo.ad at gmail.com
Thu Jul 9 21:39:19 EDT 2009

On Thu, Jul 09, 2009 at 08:45:26PM -0400, Daenyth Blank wrote:
> On Thu, Jul 9, 2009 at 20:25, Alessandro Doro<ordo.ad at gmail.com> wrote:
> > A simple workaround could be a "sudo  -k" after each sudo invocation in
> > the makepkg script.
> >
> I don't think there should be any such behavior added. All we do is
> follow the settings the user has established -- no more and no less.
> Let's not have our tools start second-guessing the users. We should
> always start with the assumption that the user is competant.

Competent and informed: I don't see a warning about potential¹ security
issue in makepkg(8).
Moreover the description of the '-s' option doesn't talk about the way
root privileges are acquired².
At least the sudo prompt should be customized, or is the user supposed
to read the source (read: the user should not second-guess the tool)?
Anyway I'm for discouraging the use of sudo for admnistrative tasks.


¹ Really theoretical, assuming that the user:
  · read the PKGBUILD,
  · trust the package source.

² Ok, ok... we all know it is obviuos.

More information about the arch-general mailing list