Comment 21 for bug 1625402
Revision history for this message
| Brian Rosmaita (brian-rosmaita) wrote | #21 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Thanks everyone for all the thought and effort on this issue.
Here's a summary of the situation:
(1) the ova extraction task was introduced in mitaka
(2) the tasks api was made admin only by default in mitaka
(3) the ova extraction task is admittedly fragile and subject to various exploits
(4) there is an extra check in the task to make sure the context is admin before the task is executed [0,1]
(5) the task doesn't execute unless the work_dir (used only by tasks) is set
I think this leaves us in the situation that Nikhil described earlier, namely, that a security note is the correct course of action, mainly to remind operators to be careful in handling images from non-reputable sources.
[0] https:/
[1] https:/