[Yum-devel] yum 3.0.6 released

seth vidal skvidal at linux.duke.edu
Wed Apr 11 02:12:33 UTC 2007


On Tue, 2007-04-10 at 21:09 -0500, Michael E Brown wrote:
> On Tue, Apr 10, 2007 at 10:10:09PM -0400, seth vidal wrote:
> > On Tue, 2007-04-10 at 21:06 -0500, Michael E Brown wrote:
> > > On Tue, Apr 10, 2007 at 08:39:25PM -0400, Jeremy Katz wrote:
> > > > On Tue, 2007-04-10 at 20:20 -0400, seth vidal wrote:
> > > > > On Wed, 2007-04-11 at 00:43 +0200, Hans-Peter Jansen wrote:
> > > > > > Am Dienstag, 10. April 2007 07:19 schrieb seth vidal:
> > > > > > > Tarball:
> > > > > > >  http://linux.duke.edu/yum/download/3.0/yum-3.0.6.tar.gz
> > > > > > 
> > > > > > Any specific reason, why the tarball contains all those CVS dirs, or just 
> > > > > > escaped your notice?
> > > > > > 
> > > > > It doesn't contain anymore than any other release of yum has. or do you
> > > > > mean in general, why do we leave the CVS dirs in place? and if so I'd
> > > > > say you might have a point. :)
> > > > 
> > > > In fact, what about the following to add a 'make dist' target that does
> > > > an export off of the tag for the release?
> > > 
> > > This patch creates a /tmp file vulnerability for anybody making a build,
> > > where attacker can overrite arbitraary files owned by the person running
> > > the build.
> > 
> > but the script runs on my laptop.
> > 
> > I'm really positive there are no attackers on my laptop. Hell, I'll turn
> > off wireless to prove it :)
> 
> Yeah, but are you the only person who ever makes a yum build? I know I've made a few.

I agree - mktemp -d is my friend.

-sv





More information about the Yum-devel mailing list