Software update should not run on any logon except...
Scott Robbins
scottro at nyc.rr.com
Sat May 7 12:37:51 UTC 2011
On Sat, May 07, 2011 at 05:22:04AM -0700, Leslie S Satenstein wrote:
> The automatic update is a great tool. However, on a regular user account, it
> can be clicked to run, and when it does, it asks if new dependency files should
> be included in the update. I think that allowing dependency files may be a
> potential security breach.
It's not considered a bug. A bug was filed and apparently it can be
changed by doing something with polkit, though I don't remember what.
The suggestion, IIRC, was that if this was a security in your situation,
use RH or CentOS (or ScientificLinux), or find what had to be done with
polkit.
Originally, any signed package could be installed through packagekit,
but after that made the front page of slashdot, it was changed to any
already installed, signed package.
If you search bugzilla for packagekit authorization or something like
that, you might be able to find it. It was from right around when RHEL6
beta first came out.
--
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
Buffy: I'm sorry, it's just been a really weird day.
Xander: Yeah, Buffy died and everything.
Willow: Wow, harsh.
More information about the test
mailing list