On Sun, Aug 03, 2003 at 10:04:09PM -0500, Manoj Srivastava wrote: > I can easily code an entry for katie and friends that takes a new > package, and marks up the ones with setgid bits set -- and the ftp > maintainers do not create override entries until they see a consensus > develop, or the security team says ok.
You could, but it wouldn't be useful as a filter, because it would not notice packages which set the permissions in postinst (as does every package with a dynamic uid). Note that this is NOT what was proposed. While I think this might be a useful methodology in the future, I do not think that it makes sense until the review process has established itself in a less fascist manner. > Are you saying that the review was not discussed as a gating > mechanism? If that is the case, then I admit I, for one, was fooled. > > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > >> All set[ug]id setups should be reviewed before they go into the > >> archive. I do not understand how you logically reach "gating mechanism" from my "should" above. None of the other "should" statements in the policy manual are interpreted this way. How did I fool you? -- - mdz
