Re: Secure APT (was: Re: New Maintainers)
On Mon, Sep 22, 2003 at 09:07:42PM +0200, Florian Weimer wrote:
> On Mon, Sep 22, 2003 at 10:07:03AM -0400, Matt Zimmerman wrote:
> > A great deal of work has been done in this area. See
> > http://bugs.debian.org/203741 for information. It would be great if you
> > would like to help with this.
> Has the patch been integrated into CVS? I think so (but the bug report
> doesn't say so explicitly).
No, it hasn't, because I'm trying to get a new apt into testing, and
introducing a lot of new code like this usually doesn't help. I was hoping
to have a new apt safely in testing by now, and to be able to put this into
unstable and start getting testing for it, but since glibc and gcc-3.3 held
up apt's progress into testing for so long, this has been problematic.
> > Can you be more specific? Are there bugs filed?
> It's not exactly a bug, it's considered a feature: By default
> /etc/mailcap is populated with tons of entries. This leads to very
> Windows-like behavior in many mail clients ("click and regret").
> Someone suggested on Usenet that packages should install these entries,
> but disable them using comments. Some packages will be updated to query
> the user before invoking an external viewer, but if we rely solely on this
> approach, it will take ages before mailcap handling is more robust.
In the past, packages which have had problematic rules like this (for
example, scripting languages with mailcap entries to execute scripts) have
removed them for security reasons. I think such entries are justification
for bug reports.