From xemacs-m  Thu Apr  3 00:12:49 1997
Received: from mailbox1.ucsd.edu (mailbox1.ucsd.edu [132.239.1.53])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id AAA07280
	for <xemacs-beta@xemacs.org>; Thu, 3 Apr 1997 00:12:48 -0600 (CST)
Received: from sdnp5.ucsd.edu (sdnp5.ucsd.edu [132.239.79.10]) by mailbox1.ucsd.edu (8.8.5/8.6.9) with SMTP id WAA15289 for <xemacs-beta@xemacs.org>; Wed, 2 Apr 1997 22:12:48 -0800 (PST)
Received: by sdnp5.ucsd.edu (SMI-8.6/SMI-SVR4)
	id WAA07286; Wed, 2 Apr 1997 22:14:30 -0800
Sender: dmoore@sdnp5.ucsd.edu
To: XEmacs Beta Mailing List <xemacs-beta@xemacs.org>
Subject: Re: A security hole during XEmacs installation
References: <kig7mipznnu.fsf@jagor.srce.hr> 	<m2raguibri.fsf@altair.xemacs.org> 	<199704012241.OAA06912@newman> 	<m2u3lqtesy.fsf@altair.xemacs.org> 	<199704030117.RAA00359@wmperry.in.aventail.com> 	<rviv24slhj.fsf@sdnp5.ucsd.edu> <QQcjqd25103.199704030559@crystal.WonderWorks.COM>
X-Face: "oX;zS#-JU$-,WKSzG.1gGE]x^cIg!hW.dq>.f6pzS^A+(k!T|M:}5{_%>Io<>L&{hO7W4cicOQ|>/lZ1G(m%7iaCf,6Qgk0%%Bz7b2-W3jd0m_UG\Y;?]}4s0O-U)uox>P3JN)9cm]O\@,vy2e{`3pb!"pqmRy3peB90*2L
Mail-Copies-To: never
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: text/plain; charset=US-ASCII
From: David Moore <dmoore@ucsd.edu>
Date: 02 Apr 1997 22:14:29 -0800
In-Reply-To: Kyle Jones's message of Thu, 3 Apr 1997 00:59:36 -0500 (EST)
Message-ID: <rvhghoske2.fsf@sdnp5.ucsd.edu>
Lines: 21
X-Mailer: Gnus v5.4.37/XEmacs 19.15

Kyle Jones <kyle_jones@wonderworks.com> writes:

> David Moore writes:
>  > The reason we don't use cp is just to keep the timestamps?
> 
> I don't know about "just" but it is a good reason.  Unless you want
> to see a lot of "Loading blah... (blah.el is newer)" messages.

No, I meant the original timestamps.  You can get around the warning
messages by just touching all of the elc files.  Or copying in two
passes.

I haven't thought much about whether we should install with a given uid
or another, but I'm curious if there is a technical preference.  And I
do note that most software when installed by root gets owned by root.
If you want it to be owned by other people, you generally have to
arrange it that way.  In this particular case, almost every file will
get the root uid except the lisp tree, which seems a bit dangerous,
since people may not notice that a user still owns those files, etc.

A consistent solution seems like a good idea.

