since this patch probably needs some explanation, I'd like to give an explanation to why I'd like to see this accepted.
The current structure of the busybox packages, which includes the bbsuid binary as well as busybox
forces every alpine installation to include the suid binary to provide functionalities like mount, passwd or su.
If alpine is run as a chroot or docker container or likewise installation , which is no longer uncommon these days,
having suid binaries included in installation should no longer be required and is imo quite undesirable if you think about security.
The proposed patch splits the busybox package into two subpackages, busybox-core and busybox-suid.
The core package contains everything that is currently included in the busybox package except for the bbsuid binary.
This will be shipped via the busybox-suid package. The busybox package will be turned into a metapackage
that pulls in busybox-core and busybox-suid, so for most use cases nothing will change except for those installations
that desire it explicitly.
I am aware that alot of packages currently depend on the busybox package. I think it would be feasable enough to update those
step by step to required only the subpackages they really need to depend on (which probably is not or should not be suid in most cases).
I'm looking forward to your thoughts.
Received on Sat Oct 17 2015 - 16:46:57 GMT