lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <31644.1257376315@turing-police.cc.vt.edu>
Date:	Wed, 04 Nov 2009 18:11:55 -0500
From:	Valdis.Kletnieks@...edu
To:	Mikulas Patocka <mikulas@...ax.karlin.mff.cuni.cz>
Cc:	Martin Nybo Andersen <tweek@...ek.dk>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	"Ryan C. Gordon" <icculus@...ulus.org>,
	Måns Rullgård <mans@...sr.com>,
	linux-kernel@...r.kernel.org
Subject: Re: package managers [was: FatELF patches...]

On Wed, 04 Nov 2009 22:11:47 +0100, Mikulas Patocka said:

> Another example: I needed new binutils because it had some bugs fixed over 
> standard Debian binutils. So I downloaded .tar.gz from ftp.gnu.org, 
> compiled it, then issued a command to remove the old package, passed it a 
> flag to ignore broken dependencies and then typed make install to install 
> new binaries. --- guess what --- on any further invocation of dselect it 
> complained that there are broken dependencies (the compiler needs 
> binutils) and tried to install the old binutils package!

> Why is the package management so stupid? Why can't it check $PATH for "ld" 
> and if there is one, don't try to install it again?

Because it has no way to tell what version of /usr/bin/foobar you installed
behind its back, if it's GNU Foobar or some other foobar, what its flags are,
whether it's bug-compatible with the foobar other things on the system are
expecting, and so on. (And go look at the scripts/ver_linux file in the Linux
source tree before you suggest the package manager run the program to find out
its version. That's only 10-15 binaries, and you'd need something like that for
*every single thing in /usr/bin). And it can't blindly assume you installed a
newer version - you may have intentionally installed a *backlevel* binary,
because you found a showstopper bug in the shipped version. So the only sane
thing it can do is try to re-install what it thinks is current.

Walking $PATH is even worse - if it finds a /usr/local/bin/ld, it's a pretty
damned good guess that it's there *because* it's not the /bin/ld that the
system shipped with.  So why should it use it?

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ