Scribit Steve Langasek dies 18/11/2005 hora 18:19:
> While it is desirable to have sed preserve EAs and ACLs when used with
> -i, I think this severity is overinflated and the security tag is
> incorrect.
I won't argue on the severity (I was not really sure which I had to
choose), but the bug indeed affects the security of the user's account.
> There are lots of ways that one can manage to lose ACLs and EAs on
> files using traditional Unix tools;
But shouldn't simply *all* problematic packages be filed a security bug?
> Given that most users are going to get this wrong when *not* using the
> -i option to sed for in-place editing, I don't see any grounds for
> treating this as a grave bug.
I see this the opposite way: that make the bug and it's little brothers
more serious, because it's not isolated...
Quickly,
Nowhere man
--=20
<email address hidden>
OpenPGP 0xD9D50D8A
--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <email address hidden>
Date: Sat, 19 Nov 2005 11:35:09 +0100
From: Pierre THIERRY <email address hidden>
To: Steve Langasek <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)
--YZ5djTAD1cGYuMQK Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Scribit Steve Langasek dies 18/11/2005 hora 18:19:
> While it is desirable to have sed preserve EAs and ACLs when used with
> -i, I think this severity is overinflated and the security tag is
> incorrect.
I won't argue on the severity (I was not really sure which I had to
choose), but the bug indeed affects the security of the user's account.
> There are lots of ways that one can manage to lose ACLs and EAs on
> files using traditional Unix tools;
But shouldn't simply *all* problematic packages be filed a security bug?
> Given that most users are going to get this wrong when *not* using the
> -i option to sed for in-place editing, I don't see any grounds for
> treating this as a grave bug.
I see this the opposite way: that make the bug and it's little brothers
more serious, because it's not isolated...
Quickly,
Nowhere man
--=20
<email address hidden>
OpenPGP 0xD9D50D8A
--YZ5djTAD1cGYuMQK pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
dxe13INnVDYoRAo uBAKCVV3iCc859e /m53a7wvEOxLLuT LACg0Rlh ZOUFDNQo=
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDfv/
z4Br3uTSBrh1JVu
=ntJC
-----END PGP SIGNATURE-----
--YZ5djTAD1cGYu MQK--