Comment 3 for bug 25921

Message-ID: <email address hidden>
Date: Sat, 19 Nov 2005 11:35:09 +0100
From: Pierre THIERRY <email address hidden>
To: Steve Langasek <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Scribit Steve Langasek dies 18/11/2005 hora 18:19:
> While it is desirable to have sed preserve EAs and ACLs when used with
> -i, I think this severity is overinflated and the security tag is
> incorrect.

I won't argue on the severity (I was not really sure which I had to
choose), but the bug indeed affects the security of the user's account.

> There are lots of ways that one can manage to lose ACLs and EAs on
> files using traditional Unix tools;

But shouldn't simply *all* problematic packages be filed a security bug?

> Given that most users are going to get this wrong when *not* using the
> -i option to sed for in-place editing, I don't see any grounds for
> treating this as a grave bug.

I see this the opposite way: that make the bug and it's little brothers
more serious, because it's not isolated...

Quickly,
Nowhere man
--=20
<email address hidden>
OpenPGP 0xD9D50D8A

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDfv/dxe13INnVDYoRAouBAKCVV3iCc859e/m53a7wvEOxLLuTLACg0Rlh
z4Br3uTSBrh1JVuZOUFDNQo=
=ntJC
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--