Comment 29 for bug 12030

On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:

Martin, just to get things straight, my comments are not directed
towards you, but towards the vim maintainer.

>
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.

It would be best if instead of

tmp_tagfile=`mktemp -t tcltagXXXXXX` || exit 1

you had used

tmp_tagfile=`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the
temporary file" >&2; exit 1 ;}

IMHO

> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.

Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)

> > - no credit is given to me, which I would have appreciated
>
> I credited you in the announcement [1] since you found the bug.

I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the
Debian maintainer, which takes no action until an Ubuntu advisory is
released.

In any case, no use in arguing this when there is so many things to work on
(and so many similar security bugs to report)

Regards

Javier