| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Sep 2006 09:06:38 -0400 From: Tim <tim-security@...tinelchicken.org> To: Cristi Mitrana <cristi.mitrana@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Re: tar alternative > What problems ? 1. tar archives contain information about the user and group of a file. This is critical for backups, but quite unnecessary for software distribution in the vast majority of cases. It is a common pitfall for software authors to leak information about their systems this way. 2. As discussed in this thread, tar archives contain permissions for files. Also important for backups, not important for software distribution IMHO. 3. tar traditionally allows files to be extracted to any directory, which can be dangerous. True, these behaviors can be overridden, or a tool developed that has safe defaults, but then the tool would be less useful for backups. The point is, the Unix community has been using a backup tool for software distribution for many years. Perhaps having the right tool for the job would be safer. For instance, a format that only contained filenames and timestamps, and is built to only output all files under a specific directory tree would be nice. > I would say cpio, but you don't want any backup designed archivers. Yeah, I had thought of that as well, but it likely has the same issues. thanks, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists