[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Re: tar alternative
- To: Cristi Mitrana <cristi.mitrana@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Re: tar alternative
- From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 9 Sep 2006 09:06:38 -0400
> What problems ?
1. tar archives contain information about the user and group of a file.
This is critical for backups, but quite unnecessary for software
distribution in the vast majority of cases. It is a common pitfall
for software authors to leak information about their systems this
way.
2. As discussed in this thread, tar archives contain permissions for
files. Also important for backups, not important for software
distribution IMHO.
3. tar traditionally allows files to be extracted to any directory,
which can be dangerous.
True, these behaviors can be overridden, or a tool developed that has
safe defaults, but then the tool would be less useful for backups. The
point is, the Unix community has been using a backup tool for software
distribution for many years. Perhaps having the right tool for the job
would be safer.
For instance, a format that only contained filenames and timestamps, and
is built to only output all files under a specific directory tree would
be nice.
> I would say cpio, but you don't want any backup designed archivers.
Yeah, I had thought of that as well, but it likely has the same issues.
thanks,
tim
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/