Closed JohnDoe42 closed 10 years ago
falconindy
commented
10 years ago I can't imagine that the user/group would actually matter. Do you really extract downloaded tarballs and preserve permissions? Mode is also tricky, since files can be 644 or 755. I'm not convinced that I should be modifying files for the user -- I think it may be better to just let the AUR reject the upload instead of reimplementing rules (which might change) on the client side.
JohnDoe42
commented
10 years ago I can't imagine that the user/group would actually matter. Do you really extract downloaded tarballs and preserve permissions?
No, but in fact you store your username in the AUR. Since makepkg anonymise the user/group and the package description says, that mkaurball is just a wrapper, that adds a .AURINFO, it should act like a wrapper and consider the permissions, that makepkg sets. Furthermore it's a decision of to respect the privacy of the packager or not even if almost all packager write their name in the PKGBUILD file.
Permissions: Agree with you.
falconindy
commented
10 years ago I can't possibly fathom how a user or group name would be revealing in any way. makepkg does this for packages because pacman does preserve ownership.
JohnDoe42
commented
10 years ago Thought, that since mkaurball perserves ownership and user, this information remains in the archive and is uploaded to the AUR and can also be downloaded by any user.
But I might be wrong. Just see the username in the archive. Is it the real name that is saved or is it the UID and GID? At least for files in the filesystem it's the UID and GID but I don't know if tar is acting in the same way???
falconindy
commented
10 years ago Sure, it's saved in the archive. But who cares? The AUR isn't making any attempts to allow anonymous submissions (quite the reverse) -- what secrets are you encoding in your local username?
JohnDoe42
commented
10 years ago I'm shure it does. You only need a username and a (garbage) mailadress and you are able to submit a package. There is no secret in my local username but i.e. s.b. may use it to make bruteforce attacks against ssh easier when you know the username. So we definitly should care about that and it's even quite easy to package in a fakeroot...
falconindy
commented
10 years ago Without an IP address, attacking someone is rather difficult. You won't get the IP address without doing a lot of correlation with the server side access logs. If someone gets that far, local usernames in tarballs on some far away server are the least of your concerns.
Anyways, I added this for consistency with makepkg. I strongly suggest you readjust your tinfoil hat.
JohnDoe42
commented
10 years ago Thank you.
Makepkg is packaging within a fakeroot environment. Thus all files packaged are owned by root. This should be added to mkaurball.
Maybe also the directory permissions (755) and filepermissions (644) should be checked by mkaurball.