Re: Bitkeeper licence issues

Larry McVoy (lm@bitmover.com)
Tue, 19 Mar 2002 15:25:02 -0800


On Tue, Mar 19, 2002 at 11:06:32PM +0100, Pavel Machek wrote:
> > > > Pavel, the problem here is your fundamental distrust.
> > > By giving me binary-only installer you ask me to trust you. You ask me
> > > to trust you without good reason [it only generates .tar.gz and
> > > shellscript, why should it be binary? Was not shar designed to handle
> > > that?], and that's pretty suspect.
> >
> > Bitmover doing anything remotely suspect in an executable installer
> > would be commercial suicide, do you distrust realplayer too?
>
> Actually, the installer contains security hole allowing any user to
> overwrite any file on system if you install it as root with simple
> symlink.

Come on Pavel, in order to make this happen, you have to

a) run the installer as root
b) know the next pid which will be allocated
c) put the symlink in /tmp/installer$pid

and do all before that pid gets used. Have you actually be able to
do that? I'd like to see how you did so without knowing exactly when
root was going to install the package and without filling up /tmp with
64,000 symlinks.

I'll grant you this is something we can trivially make go away as an
issue, and we have, but it's mostly to make you go away as an issue,
not because we believe for one second this is a realistic problem.

-- 
---
Larry McVoy            	 lm at bitmover.com           http://www.bitmover.com/lm 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/