Comment 2 for bug 1650427
Revision history for this message
| Joe Talbott (joetalbott) wrote Re: [Bug 1650427] [NEW] predictable /tmp names | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
The purpose of using predictable directories is to prevent having to
pull entire origins for each part as well as for each parser run. One
common problem the parser encounters is repos that have changed in a
manner that a simple "pull" will cause an error. One way to avoid
this is to have the parser pull origins into a new temporary directory
for each invocation of the parser. This solves both problems at the
cost of a lot of duplicate downloads across parser runs. Thoughts?
Note: this is only the case for the parser which isn't intended for
users to run.
On Thu, Jan 5, 2017 at 7:17 PM, Launchpad Bug Tracker
<email address hidden> wrote:
> *** This bug is a security vulnerability ***
>
> Sergio Schvezov (sergiusens) has assigned this bug to you for Snapcraft:
>
> In bug 1614520 there is some error output:
>
> subprocess.
> .comjosephtinde
>
> Using "predictable" names in world writable directories is often a
> security flaw. I haven't inspected snapcraft close enough to determine
> if this is an issue. But I'd feel better if snapcraft would use a
> mechanism based on safer primitives such as Python's mkdtemp() function
> in order to make a scratch directory in /tmp/:
>
> https:/
>
> An alternative would be to use per-user temporary storage location such
> as ~/tmp/.
>
> Thanks
>
> ** Affects: snapcraft
> Importance: Undecided
> Assignee: Joe Talbott (joetalbott)
> Status: Confirmed
>
> --
> predictable /tmp names
> https:/
> You received this bug notification because you are a bug assignee.