reopen 248122 tags 248122 wontfix thanks Because there's still discussion in this bug I'm reopening it, but tagging it wontfix for now since that's my current opinion.
On Thu, 2007-04-19 at 15:27 -0400, Justin Pryzby wrote: > Hi, Will you at least consider using checksums? I don't understand... we're already using checksums to verify the downloaded files. Or am I missing something? > I still think running wget as root should be avoided. The apt code > was written with this in mind, but wget is typically run by normal > users. > f=`tempfile` > adduser mstwget this needs a `chown mstwget $f` I think. > su -c "wget -O '$f'" mstwget > chown root:root "$f" > deluser msgwget I'm not opposed to running wget non-privileged in principle, but am concerned about extra fragility introduced in the process, offset against the risk that running wget as root could bring. Since wget is very widely used, and also in quite some packages as root automatically, I think the risk of wget being faulty is relatively small. msttcorefonts is not the only 'downloader' package. What I think would be a nice solution, is if some system is developed that serves as common downloader-package code, and that code is used by the downloading packages. While I don't feel like maintaining my own system for privilege dropping when other packages are not doing that, or doing it differently, I am open to use a system as long as this is common for all downloaders, hence increasing the testing and reducing duplication. Maybe some kind of "downloaders-common" like "dbconfig-common"? Thijs
signature.asc
Description: This is a digitally signed message part
