[Mageia-discuss] mageiaupdate and the list of updates

Michael Scherer misc at zarb.org
Mon Jul 4 01:46:59 CEST 2011 

Le samedi 02 juillet 2011 à 19:40 -0400, andre999 a écrit :
> Anne nicolas a écrit :
> > 2011/7/2 Romain d'Alverny<rdalverny at gmail.com>:
> >> Le 2 juil. 2011 à 17:14, andre999<andr55 at laposte.net>  a écrit :
> >>> Suppose during the update process you have a check box to put a particular update on
> >>> the skip list, or another to uninstall the corresponding package.
> >>
> >> That would be an interesting option to investigate.
> >>
> >>> Note that if you can't uninstall a package because it is required, it is usually
> >>> inadvisable skip updates, unless you really understand the issues.
> >>
> >> So the user is stuck: unadvisable to skip the updates, unless she understands the issues
> >> =>  just make the update automatic in a background task by default then; one doesn't care
> >> about the issues - or won't have a single clue about it either, unless being a specific
> >> type of user that would know how to disable this auto update setting anyway).
> >>
> >>> Changing when the password is requested would reduce the security for the system, as
> >>> unauthorised users could see what is installed.
> >>
> >> Unauthorised users using an authorised session, to be more specific.
> 
> Such a situation is far from rare in multi-user environments.
> But also if someone doesn't know the root password, currently they can't see 
> what is installed.  By delaying it until something is actually updated, they can 
> see everything.  So a remote user with limited privileges could more easily 
> compromise the system.

They can use rpm -qa on the terminal to know what is installed.

And they can use urpmq --auto-select to see the current update.

In fact, one reason to not ask password before updating would simply be
to decide if we update now, or later, due to various network related
reason ( like using 3g, or slow wifi ). If I see a update of
libreoffice, I would prefer do it at home.

And there is no technical reasons to ask for password before displaying
so I think we should ask it only for important reason ( ie, really
update ).
This would be consistent with others os ( os x ask the password only we
choose to update, so does Fedora/packagekit and Ubuntu/apt-daemon ).

-- 
Michael Scherer

More information about the Mageia-discuss mailing list