-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, Olive dared to utter,
> Something that I do like in Slackware is that the build scripts to generate
> Slackware packages assume that they will be run as root. Moreover the tool
> buildpkg does not allow to set the correct owner of the files in a package
> without doing a chown on the to-be-packaged directory (which requires to be
> root); making impossible to make a build script which is able to generate a
> package without being root. Making a package as root can be very dangerous
> since we do a make install; maybe not with the official build scripts
> (which are well tested) but well with home-made or hacked build scripts.
>
> This approach contradicts the philosophy of never being root when you do not
> really need to.

Not exactly, as you do really need to be root to create a package,
regardless of package type.[0] "make install" generally has to be run
as root for anything that is going to be installed system-wide. Users
are not able to chown their files to owner root for example. You could
say that it is more secure to run the compile as a user, and to that I
agree. However, I think you miss the point that a compile-time-based
attack is highly unlikely, if only because it is no less difficult than
implimenting a flaw in the resulting binary (and less likely to
actually work). Hence you should only be using trusted source anyway.
If you don't trust your source, don't trust that compiling it as a user
is going to some how magically make you safe.

[0] Note that this isn't _exactly_ true, but that discussion is for
another post. :^)

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB9ZaNlKR45I6cfKARAjVvAJ9nRg2pfErmY1C32o71jK kQ9TQTnACgi2Xs
wvVu/fpHZeQ49LSLueny54Q=
=szcj
-----END PGP SIGNATURE-----