+Alan Hicks+ wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In alt.os.linux.slackware, Pawel Kot dared to utter,
>>> tar retains
>>> ownership and permissions of files. if you were to create a package as
>>> user and then install it as root system-wide, the files *and* the
>>> directories in the package would obtain ownership and permissions of the
>>> user that created the package.
>>
>> That's why (among other reasons) the post-install script idea was
>> invented.
>
> It's poor form (IMO) to rely on a post-install script to handle
> permissions cleanly. There's a lot of variables that could go wrong,
> specifically setting permissions that are insecure or non-functional.

That's the job for the packager. Ensure that package is done correctly.
There's not much difference in ensuring the permissions are correct when
preparing the package and when installing the package.

> For example, let's suppose for a moment you compiled an apache package
> with suexec and did so as a user. In order to know exactly what you
> need to set your permissions to, you really need to run "make install"
> to be sure you got things correct, and at that point, why are you
> bothering to do it twice? In short, a lot of complication that can
> break things, and a lot of wasted time and energy.

make install is easy. Upgrading from this may not be that easy. Preparing
packages as root may be dangerous (when eg. accidently overwrite some
files). Why do something as root what you don't need to?

> Like I said in another post. If you can't trust the source code you're
> compiling to behave during the compile, why are you compiling it in the
> first place?

installing <> compiling. I've seen a lot of programs that had fcked up build
scripts and vice versa.

take care,
pkot
--
p k o t a t b e z s e n s u d o t p l
http://www.gnokii.org/