Re: Multiple libraries privilege checking

[Solar Designer <solar () openwall com>]

On Wed, May 18, 2011 at 06:53:23PM +0200, yersinia wrote:
> It happens that I am, with another name, an rpm5/popt comantainer . I am very
> interested to integrate these patches, being also a   security
> professional. Very

<offtopic>
We have many more rpm patches here:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/rpm/
These are against rpm-4.2 and most of them are non-security, but they
were required to make rpm usable for us.  For example, when a package is
rebuilt with some changes but without Epoch/Version/Release change, and
the old build contains some files that are not in the new build, and the
package is upgraded on a system (such as with "-U --force"), the
original rpm would leave orphaned files around on the system (security
relevance: even SUID/SGID program binaries).  Ours removes those files.
You could want to take a look at our patches and see if any are still
relevant to rpm5.
</offtopic>

> useful to follow this mailing list, but I am not part of a distro, at least
> for now, and I can no longer follow it in the future due to the  recent
> policy change. Thanks anyway.

Huh?  There's no policy change.  Are you possibly misinterpreting the
"Closed list" thread as applying to the oss-security list?  It does not.
The closed list is an alternative to the old vendor-sec and to the CC
lists that started to appear in the month without vendor-sec.  It is not
an alternative to oss-security.  In fact, with the new closed list being
more limited than the old vendor-sec was, I expect more topics to be
discussed on oss-security than there were when vendor-sec was around.

Thanks,

Alexander