On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:
Martin, just to get things straight, my comments are not directed=20
towards you, but towards the vim maintainer.
>=20
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.
> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.
Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)
> > - no credit is given to me, which I would have appreciated
>=20
> I credited you in the announcement [1] since you found the bug.
I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the=
=20
Debian maintainer, which takes no action until an Ubuntu advisory is=20
released.
In any case, no use in arguing this when there is so many things to work on=
=20
(and so many similar security bugs to report)
Regards
Javier
--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <email address hidden> 1?Q?Fern= E1ndez- Sanguino_ Pe=F1a? = <email address hidden>
Date: Wed, 19 Jan 2005 11:40:47 +0100
From: Javier =?iso-8859-
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#289560: acknowledged by developer (Bug#289560: fixed in vim 1:6.3-058+1)
--fUYQa+Pmc3FrFX/N Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Wed, Jan 19, 2005 at 10:24:20AM +0100, Martin Pitt wrote:
> I read your patch, but I deliberately wrote my own very simple
> version, because:
Martin, just to get things straight, my comments are not directed=20
towards you, but towards the vim maintainer.
>=20
> - I wanted to avoid the tempfile race in any case, so if mktemp is not
> available, the script should rather fail than be vulnerable. mktemp
> is shipped in a required package, so we can assume it is there.
It would be best if instead of=20
tmp_tagfile= 3D`mktemp -t tcltagXXXXXX` || exit 1=20
you had used
tmp_tagfile= 3D`mktemp -t tcltagXXXXXX` || { echo "$0: error creating the=20
temporary file" >&2; exit 1 ;}
IMHO
> - A security update must be as simple and unintrusive as possible. I
> do not care about the widest possible upstream portability in
> security updates, the solution only needs to work on the platforms
> we support.
Well, in the Debian case (not Ubuntu's) the patch was not intented to be
used as a DSA (since even if the code is in stable, it's in
/usr/share/doc). I wasn't complaining about the Ubuntu update, but about
the use of Ubuntu's patch in Debian when mine could be used instead for the
sid upload (and would've been more consistent with upstream source)
> > - no credit is given to me, which I would have appreciated
>=20
> I credited you in the announcement [1] since you found the bug.
I was mentioning Debian's changelog, not Ubuntu's advisory.
Actually, all my statements are with how this bug has been handled by the=
=20
Debian maintainer, which takes no action until an Ubuntu advisory is=20
released.
In any case, no use in arguing this when there is so many things to work on=
=20
(and so many similar security bugs to report)
Regards
Javier
--fUYQa+Pmc3FrFX/N pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
ehJTrj0oRAuUcAJ 9V0dPRoGRPpY7yI GxYilDSWdZvLgCg p/nE wT1EyxiDseGtk=
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB7jkui4s
Am8LJyeU5/
=PGKH
-----END PGP SIGNATURE-----
--fUYQa+ Pmc3FrFX/ N--