On Tue, Aug 23, 2011 at 5:20 PM, Walter Hurry <walterhu...@lavabit.com>wrote:
> On Tue, 23 Aug 2011 11:24:38 -0300, D G Teed wrote: > > > A user would like the latest and greatest zsh and we have a deb package > > for it. For security purposes I want to keep the slightly older version > > of zsh obtained and maintained from debian packages as the system > > default zsh. > > Your reasoning does not seem logical to me. If you need to stick to an > older version of a given package for "security purposes", then why allow > one user access to an allegedly insecure version? > > On the other hand, if it is considered safe for that user to have access > to the latest version, then why not just make it standard for everyone? > > The user has a shell account and access to a compiler. If they want to, they can compile and create zsh or other software and run it under their own home area. There is no policy blocking that. I'm merely helping them out a little, and gaining a bit of organization in contrast to letting users create their own solution. If there was a security issue against zsh, chances are that script kiddies would be looking at the one in the default location, not the hand compiled one. There is also a small risk that the hand compiled one becomes unsupported temporarily due to lib updates, so it can't hurt to carry the supported version as a fall back.
