[oe] [ALERT] Security vulnerability with recent OE bitbake.conf changes
Paul Sokolovsky
pmiscml at gmail.com
Thu May 3 12:47:32 UTC 2007
Hello openembedded-devel,
A commit made some time ago,
http://lists.linuxtogo.org/pipermail/openembedded-commits/2007-April/004912.html
introduced a hole which may lead to unnoticed security vulnerabilities
slipping into the packages/images produced. Specifically, it defines a
random application of a random suite to be used for resolving patching
conflicts/failures. If you don't happen to have that random tool,
patching failure will be silently swallowed, leading to any adverse
effects imaginable - from compile failure to the mentioned security
vulnerabilities.
Proposed solutions:
1. Bring back some reality and switch back to previous default of
dropping to standard shell for resolution:
-TERMCMD ?= "${GNOME_TERMCMD}"
-TERMCMDRUN ?= "${GNOME_TERMCMDRUN}"
+TERMCMD ?= "${SHELLRCCMD}"
+TERMCMDRUN ?= "${SHELLRCCMD}"
2. Add DEPENDS on that random tool, namely gnome-terminal.
If going with choice 2, I proposed also to do the following: 1) add
depends on xine, mplayer, totem, few other video players; 2) add depends
on mesa and show nice 3d rotating menu to select player of user choice;
3) use selected player to show video during the build - after all,
if user deserves comfort of using superfluous GUI tools for conflict
resolution, why one should be bored during normal build process?
Thanks,
--
Paul mailto:pmiscml at gmail.com
More information about the Openembedded-devel
mailing list