Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Installation of software, and security. . .
From: Tim Nelson <tim.nelson () webalive biz>
Date: Tue, 19 Jul 2005 14:01:01 +1000 (EST)

On Sun, 17 Jul 2005, John Richard Moser wrote:

like a complete mess. Far too many programs wouldn't need an installation in the
first place. And it's hard to give end users a rule of thumb on how to handle
installation programs when there is no real agreement on what installers should
(not) do. At least from my POV.

Yes, you hit the nail on the head with a jackhammer.  One discussion on
autopackage was that the devs don't want to limit the API and thus want
the prepare, install, and uninstall to be a bash script supplied by the
package "so it can do anything."  I hate this logic.  Why does it need
to be able to do "anything"?

I think you're both right :). I agree that packages need to be able to do anything, but it'd be nice if we could try to eliminate the pre and post install scripts.

One thing that would be useful is if someone could look at the things that are typically done in pre/post install scripts, and then integrate those into the package manager. We have a set of custom RPMs here, and they do a variety of things in the pre and post install scripts, but the main ones are:
-       Reconfigure other software; apache never needs this, because it
        uses the conf.d directory, but the tomcat we use doesn't seem to
        work this way, and it should
-       Service reloads; after we add a file which does the apache config,
        we need to reload apache; if RPM supported us going
        "%reload apache", then we wouldn't need the post-install script
        for that

        My suggested solution would be to:
1.      Build in to RPM (or whatever) any relatively harmless features
        which are regularly used (eg. reload)
2.      Issue a security warning and quit for any packages that have
        pre/post install scripts, and any actions that might cause trouble
        (eg. reload)
3.      Set --with-scripts (or something) to enable running scripts, and
        --with-actions to enable potentially troublesome actions (eg.
        reload), or --without-actions to just install files and not do the



Kind Regards,
Tim Nelson
Server Administrator
P: 03 9934 0888
F: 03 9934 0899
E: tim.nelson () webalive biz
W: www.webalive.biz
WebAlive Technologies
Level 1, Innovation Building
Digital Harbour
1010 La Trobe Street
Docklands Melbourne VIC 3008

This email (including all attachments) is intended solely for the named addressee. It is confidential and may contain 
legally privileged information. If
you receive it in error, please let us know by reply email, delete it from your system and destroy any copies. This 
email is also subject to copyright. No
part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.

Emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on 
other systems. We give no
warranties in relation to these matters. If you have any doubts about the authenticity of an email purportedly sent by 
us, please contact us immediately.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]