[Yum] Security issues with include= implementation in yum.conf

seth vidal skvidal at phy.duke.edu
Sun Oct 5 20:48:55 UTC 2003


> Oh.  I misunderstood and assumed that they existed in the config
> file itself, the whole thing being started from the config on the 
> system. 

they do - but there doesn't have to be any contents of the conrfig file
except for an include= - so clearly there is no place to read config
from.

 
> Again, my assumption was that the includes where occuring in the 
> the config file itself.  I must have completely misunderstood the 
> feature.  I have a config format for building RH distros that supports
> includes (but not from the network), so I was thinking along those
> lines.  My bad...sorry.

np. I didn't mean to come off harshly - I was just explaining the
difficulties.

 
> Ulitimately, as with having the gpg sig checking disabled from a config
> over the net, I was only trying to point out that there may be some
> config items that are best not overridable by configs from a remote
> source that you don't have control over.
> 

but how do you determine if you have control over the remote source or
not? You might and therefore might need them.

I think I'm going to go with the feature and just flag the potential
concerns in the man page to warn the user of the dangers of trusting
remote configs.

Ryan, Does that work for you?

-sv





More information about the Yum mailing list