[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Re: tar alternative
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Re: tar alternative
- From: darren kirby <bulliver@xxxxxxxxxxxxxxx>
- Date: Sat, 9 Sep 2006 07:57:53 -0700
quoth the Tim:
> > What problems ?
>
> 1. tar archives contain information about the user and group of a file.
> This is critical for backups, but quite unnecessary for software
> distribution in the vast majority of cases. It is a common pitfall
> for software authors to leak information about their systems this
> way.
What tar are you using? With every tarball I download the files within are
given the owner:group of the user I extract them as.
I have never seen a developer's username or group disclosed...
> 2. As discussed in this thread, tar archives contain permissions for
> files. Also important for backups, not important for software
> distribution IMHO.
Sure they are important. Would you want to manually chmod +x all executables
and scripts? Manually chmod +r all documentation? Even stipulating that we
could use the umask value to decide permissions it is still a PITA.
> 3. tar traditionally allows files to be extracted to any directory,
> which can be dangerous.
This can be mitigated if you don't blindly extract tarballs as root, and you
only extract in safe locations. If you unpack stuff to '/' you deserve to
hose your system.
True, some boneheads don't package their stuff in a top-level directory
potentially overwriting existing files in the pwd. Perhaps the GNU folks
should add a 'noclobber' option....
>
> True, these behaviors can be overridden, or a tool developed that has
> safe defaults, but then the tool would be less useful for backups. The
> point is, the Unix community has been using a backup tool for software
> distribution for many years. Perhaps having the right tool for the job
> would be safer.
>
> For instance, a format that only contained filenames and timestamps, and
> is built to only output all files under a specific directory tree would
> be nice.
>
> > I would say cpio, but you don't want any backup designed archivers.
>
> Yeah, I had thought of that as well, but it likely has the same issues.
>
> thanks,
> tim
-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/