*sing* %post and %pre and securiteeee
How to not get CVEs assigned when using rpm scriptlets
Johannes Segitz
Security engineer at SUSE.
Since my time as a teenager in the 90s I was interested in IT security. After visiting my first CCC congress I got hooked and never looked back. In the last ten years I am a member of the SUSE security team and try to make open source software more secure.
No video of the event yet, sorry!
The SUSE security team often finds security issues specific to the rpm packaging of applications. This talk show you some of the findings and will give you recommendations on how to avoid creating CVEs while packaging software.
This will be interesting to you if you're a packager and use %post or similar scriptlets in your packaging. Unfortunately it's quite easy to cause security issues while using these. But most packagers are not aware of the risk. This talk is intended to change that and give you the knowledge on how to prevent issues like these.
Modern rpm versions already have some limited counter measures against some of the issues that will be shown, but we can't rely on them to fix all of the usual problem that we see when reviewing these constructs.
https://www.slideshare.net/slideshow/sing-post-and-pre-and-securiteeee-sing/273619515
- Date:
- 2024 November 2 - 13:30
- Duration:
- 40 min
- Room:
- Room C
- Conference:
- openSUSE.Asia Summit 2024
- Language:
- English
- Track:
- openSUSE
- Difficulty:
- Medium
- Penpot: is it here to stay?
- Start Time:
- 2024 November 2 13:30
- Room:
- Room B
- A simple quick introduction to packaging for openSUSE
- Start Time:
- 2024 November 2 13:30
- Room:
- Room A