[Mageia-discuss] mageiaupdate and the list of updates

andre999 andr55 at laposte.net
Mon Jul 4 06:05:24 CEST 2011


Michael Scherer a écrit :
> Le samedi 02 juillet 2011 à 19:40 -0400, andre999 a écrit :
>> Anne nicolas a écrit :
>>> 2011/7/2 Romain d'Alverny<rdalverny at gmail.com>:
>>>> Le 2 juil. 2011 à 17:14, andre999<andr55 at laposte.net>   a écrit :
>>>>> Suppose during the update process you have a check box to put a particular update on
>>>>> the skip list, or another to uninstall the corresponding package.
>>>>
>>>> That would be an interesting option to investigate.
>>>>
>>>>> Note that if you can't uninstall a package because it is required, it is usually
>>>>> inadvisable skip updates, unless you really understand the issues.
>>>>
>>>> So the user is stuck: unadvisable to skip the updates, unless she understands the issues
>>>> =>   just make the update automatic in a background task by default then; one doesn't care
>>>> about the issues - or won't have a single clue about it either, unless being a specific
>>>> type of user that would know how to disable this auto update setting anyway).
>>>>
>>>>> Changing when the password is requested would reduce the security for the system, as
>>>>> unauthorised users could see what is installed.
>>>>
>>>> Unauthorised users using an authorised session, to be more specific.
>>
>> Such a situation is far from rare in multi-user environments.
>> But also if someone doesn't know the root password, currently they can't see
>> what is installed.  By delaying it until something is actually updated, they can
>> see everything.  So a remote user with limited privileges could more easily
>> compromise the system.
>
> They can use rpm -qa on the terminal to know what is installed.

True.  And those more likely to present security problems would know how to use 
the terminal.

> And they can use urpmq --auto-select to see the current update.

Ok.

> In fact, one reason to not ask password before updating would simply be
> to decide if we update now, or later, due to various network related
> reason ( like using 3g, or slow wifi ). If I see a update of
> libreoffice, I would prefer do it at home.

I do that sort of thing a lot myself.  For the same reason.

> And there is no technical reasons to ask for password before displaying
> so I think we should ask it only for important reason ( ie, really
> update ).
> This would be consistent with others os ( os x ask the password only we
> choose to update, so does Fedora/packagekit and Ubuntu/apt-daemon ).

You convinced me.
(Maybe I tend to be a little overly concerned about security.)

So there are 2 things I'd like to see.
- Moving the password requirement to just before actual update.
- Adding rpmdrake feature to put a specific package (exact version) in the skip 
list in an advanced mode. (Much like the advanced mode of diskdrake.)
With an option to edit the skip list to remove items.
(I know I could edit the skip list via the console, but it would be easier and 
less subject to typos in rpmdrake.  And I'm a bit lazy.)
-- 
André


More information about the Mageia-discuss mailing list