lock down the binary #208
Comments
|
I could technically disable these options in the generated archives, but it would not really prevent determined users from handling the archive manually and extracting/listing its contents as in the end it is still a plain old compressed tar archive. Any user worth its salt can look at the beginning of the archive to figure out how to do it. |
|
The main reason is that I would like to make it "not so obvious". And it would be better to prove if anyone mucked around with it. If you would just be able to "disable" these options during the build phase that would be great. |
|
Hello Stepahne, Any plans to get this in place or have you decided not to do it? Regards, |
|
It's a low priority at the moment. However if you want to contribute a pull request, I'd be happy to merge it. |
Introduce the ability to remove the --keep --verbose --list --noexec and other -- parameters in the compilation in order to retain a clean binary which does not leave traces and does also not provide the option to leave traces.
This also ensures a somewhat better form of control of the content.
Reason is that in production environments administrators and security people do not allow these options to be present in order to ensure a safety regulation is followed. The current flags do provide that option and may cause harm if embedded scripts are not executed in order as designed.
The text was updated successfully, but these errors were encountered: