On Wed, 15 May 2013 13:10:06 -0500 Serge Hallyn <serge.hal...@ubuntu.com> wrote:
> Quoting Kaarle Ritvanen (kaarle.ritva...@datakunkku.fi): > ... > > + wget="wget -O - $repository/x86" > .. > > + $wget/apk-tools-static-$apk_version.apk | \ > > + tar -Oxz sbin/apk.static > $apk || return 1 > > + chmod u+x $apk > > + > > + apk_opts="$apk_opts --allow-untrusted" > > + fi > > + > > + $apk add -U --initdb --root $rootfs $apk_opts "$@" alpine-base > > Boy does that scare me though. We could inline the public key(s) in the script so we could remove the '--allow-intrusted' above. But verifying the sig for the static binary might be tricky without having apk-tools installed already. I suppose you could always ask your distro to ship a proper apk-tools.deb/rpm. Or maybe throw an error: Error: no apk binary was found. You can automatically download a static apk with: --allow-untrusted-static-apk Then you'll not by mistake download and execute an untrusted static binary. -nc ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
