You are not logged in.
- Topics: Active | Unanswered
#1 2005-06-24 01:32:42
- kleptophobiac
- Member
- From: Sunnyvale, CA
- Registered: 2004-04-25
- Posts: 489
All repos, not just AUR - automatic kernel module reminders
I think it would be a good idea to automatically email the owners of kernel module packages to update their packages when new stock kernels come out, or make it a rule to have the PKGBUILD use uname -r to get the kernel version, and have the system automatically rebuild those packages.
thoughts?
Offline
#2 2005-06-24 08:28:46
- dtw
- Forum Fellow
- From: UK
- Registered: 2004-08-03
- Posts: 4,439
- Website
Re: All repos, not just AUR - automatic kernel module reminders
There is some current debate that backtick execution e.g. `uname -r` is bad in PKGBUILDs. This is the same reason I have advised you against using `date +%d` in the CVS PKGBUILD thread 
It's considered to be insecure by some as it allows too many security holes. So it's pretty unlikely to be adopted as a standard 
With regard to kernel releases. If people are making modules for kernels and putting them in the AUR then I would hope they have an active interest in the modules and will be watching for new releases of the kernel anyway.
However, I can see this is not the case and some people are clearly contributing PKGBUILDs to the AUR purely for the sake of it then forgetting about it - that's something we are trying to work on too!
Offline
#3 2005-06-24 15:48:02
- kleptophobiac
- Member
- From: Sunnyvale, CA
- Registered: 2004-04-25
- Posts: 489
Re: All repos, not just AUR - automatic kernel module reminders
I don't quite understand the security risk... could you point me in the direction of some of that debate?
Offline
#4 2005-06-24 16:57:00
- Snowman
- Developer/Forum Fellow
- From: Montreal, Canada
- Registered: 2004-08-20
- Posts: 5,212
Re: All repos, not just AUR - automatic kernel module reminders
It was discussed on the tur-users mailing list. Here`s the thread:
http://www.archlinux.org/pipermail/tur- … 01062.html
Offline
#5 2005-06-24 21:21:04
- dtw
- Forum Fellow
- From: UK
- Registered: 2004-08-03
- Posts: 4,439
- Website
Re: All repos, not just AUR - automatic kernel module reminders
I don't quite understand the security risk... could you point me in the direction of some of that debate?
if you can;t be bothered to read the list it is as simple as
pkgver=`rm -rf /`
besides:
pkgver=`date +%d%m%y`
for example won't let you use gensync to create repos - so that is crap too!
Offline
#6 2005-06-25 01:35:48
- kleptophobiac
- Member
- From: Sunnyvale, CA
- Registered: 2004-04-25
- Posts: 489
Re: All repos, not just AUR - automatic kernel module reminders
oooh, I was trying to figure it from the other direction, like how simple commands like date and uname could be exploited. 
Offline
#7 2005-06-25 09:27:28
- phrakture
- Arch Overlord
- From: behind you
- Registered: 2003-10-29
- Posts: 7,879
- Website
Re: All repos, not just AUR - automatic kernel module reminders
oooh, I was trying to figure it from the other direction, like how simple commands like date and uname could be exploited.
# make blow_up_computer
# make install
# mv /usr/bin/blow_up_computer /bin/dateOffline
#8 2005-06-25 12:51:04
- kleptophobiac
- Member
- From: Sunnyvale, CA
- Registered: 2004-04-25
- Posts: 489
Re: All repos, not just AUR - automatic kernel module reminders
Yes, but that requires there to be a binary in the tarball, and wouldn't it be a simple check to make sure there are no binaries? For packages that really needed it, there could always be exceptions (like my ivtv which requires a binary firmware)
I suppose you could always wget or tftp a binary... hmmm
yeah, this could be problematic. 
Offline