You are not logged in.

#1 2005-06-24 01:32:42

kleptophobiac
Member
From: Sunnyvale, CA
Registered: 2004-04-25
Posts: 481

All repos, not just AUR - automatic kernel module reminders

I think it would be a good idea to automatically email the owners of kernel module packages to update their packages when new stock kernels come out, or make it a rule to have the PKGBUILD use uname -r to get the kernel version, and have the system automatically rebuild those packages.

thoughts?

Offline

#2 2005-06-24 08:28:46

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,432
Website

Re: All repos, not just AUR - automatic kernel module reminders

There is some current debate that backtick execution e.g. `uname -r` is bad in PKGBUILDs.  This is the same reason I have advised you against using `date +%d` in the CVS PKGBUILD thread big_smile  It's considered to be insecure by some as it allows too many security holes.  So it's pretty unlikely to be adopted as a standard smile

With regard to kernel releases.  If people are making modules for kernels and putting them in the AUR then I would hope they have an active interest in the modules and will be watching for new releases of the kernel anyway.

However, I can see this is not the case and some people are clearly contributing PKGBUILDs to the AUR purely for the sake of it then forgetting about it - that's something we are trying to work on too!

Offline

#3 2005-06-24 15:48:02

kleptophobiac
Member
From: Sunnyvale, CA
Registered: 2004-04-25
Posts: 481

Re: All repos, not just AUR - automatic kernel module reminders

I don't quite understand the security risk... could you point me in the direction of some of that debate?

Offline

#4 2005-06-24 16:57:00

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: All repos, not just AUR - automatic kernel module reminders

It was discussed on the tur-users mailing list. Here`s the thread:
http://www.archlinux.org/pipermail/tur- … 01062.html

Offline

#5 2005-06-24 21:21:04

dtw
Forum Fellow
From: UK
Registered: 2004-08-03
Posts: 4,432
Website

Re: All repos, not just AUR - automatic kernel module reminders

kleptophobiac wrote:

I don't quite understand the security risk... could you point me in the direction of some of that debate?

if you can;t be bothered to read the list it is as simple as

pkgver=`rm -rf /`

besides:

pkgver=`date +%d%m%y`

for example won't let you use gensync to create repos - so that is crap too!

Offline

#6 2005-06-25 01:35:48

kleptophobiac
Member
From: Sunnyvale, CA
Registered: 2004-04-25
Posts: 481

Re: All repos, not just AUR - automatic kernel module reminders

oooh, I was trying to figure it from the other direction, like how simple commands like date and uname could be exploited. tongue

Offline

#7 2005-06-25 09:27:28

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: All repos, not just AUR - automatic kernel module reminders

kleptophobiac wrote:

oooh, I was trying to figure it from the other direction, like how simple commands like date and uname could be exploited. tongue

# make blow_up_computer
# make install
# mv /usr/bin/blow_up_computer /bin/date

Offline

#8 2005-06-25 12:51:04

kleptophobiac
Member
From: Sunnyvale, CA
Registered: 2004-04-25
Posts: 481

Re: All repos, not just AUR - automatic kernel module reminders

Yes, but that requires there to be a binary in the tarball, and wouldn't it be a simple check to make sure there are no binaries? For packages that really needed it, there could always be exceptions (like my ivtv which requires a binary firmware)

I suppose you could always wget or tftp a binary... hmmm

yeah, this could be problematic. sad

Offline

Board footer

Powered by FluxBB