lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Wed, 12 Sep 2012 21:39:21 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Henrique de Moraes Holschuh <hmh@....eng.br>,
	Andi Kleen <andi@...stfloor.org>
Cc:	pkg-sysvinit-devel@...ts.alioth.debian.org,
	debian-devel@...ts.debian.org, linux-kernel@...r.kernel.org,
	linux-kbuild@...r.kernel.org
Subject: Re: (fwd) make tar*-pkg considered dangerous

On Wed, Sep 12, 2012 at 01:11:54PM -0300, Henrique de Moraes Holschuh wrote:
> I am forwarding this as a remider that, should we ever get to the point of
> moving around /lib or /usr/lib, /sbin or /usr/sbin, and /bin or /usr/sbin,
> as well as any other such trunks, we really ought to consider whether we
> should be using symlinks or bind mounts [where possible] for such moves.
> 
> Also, just in case, Debian users are gently reminded that there are less
> unsavory methods of packing custom kernel builds for later use in Debian
> boxes, including the Linux upstream "deb-pkg" make target (dpkg is a lot
> smarter than "tar"), and the make-kpkg command provided by the
> kernel-package Debian package (which IMHO tends to produce better kernel
> .deb packages than the upstream "deb-pkg" make target.

kernel-package is effectively unmaintained, so please don't recommend
its use unless you intend to rectify that.

> ----- Forwarded message from Andi Kleen <andi@...stfloor.org> -----
> Date: Wed, 12 Sep 2012 05:16:46 +0200
> From: Andi Kleen <andi@...stfloor.org>
> To: linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org
> Subject: make tar*-pkg considered dangerous
> 
> Hi,
> 
> We've had some incidents with people destroying Fedore 17 installs
> (to the point of reinstall) by installing a kernel tarball generated with 
> make tar*-pkg
> 
> The problem is that the tarball includes /lib/{modules,firmware},
> but on FC17 /lib is a symlink. tar when it unpacks the tarball
> replaces the symlink with the directory.
[...]

Presumably the tarball also contains an entry for the directory lib,
and that (not the subdirectory entries) triggers tar to replace the
symlink.  So this can be fixed by only including
lib/{modules,firmware} in the tarball, not lib.

A quick experiment under F16 (tar 1.26) supports this.
 
Ben.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ