Re: preparing 2.3.6

[Matt Kraai <kraai@debian.org>]

On Wed, Jun 20, 2001 at 12:18:47AM -0600, Erik Andersen wrote:
> On Tue Jun 19, 2001 at 03:09:05PM -0800, Ethan Benson wrote:
> > On Tue, Jun 19, 2001 at 04:51:37PM -0400, Adam Di Carlo wrote:
> > > 
> > > I'm preparing 2.3.6 now.  I'm going to build that tonight if possible
> > > and if that passes some tests on i386 then release that.
> > > 
> > > So please sync any changes for 2.3.6 over the next 60 minutes!
> > 
> > note that this version will still create insecure systems because
> > busybox tar is still broken (just not as badly as before).  see bug #101169.
> 
> I havn't had a chance yet to look into fixing it.  Hopefully in the morning...

I think it is sufficient to remove the calls to umask (0) in
tar.c.  We always call chmod on the created file, so the only way
this could cause problems is if the umask of the file disallows
all write permissions.  In this case, GNU tar fails so I don't
think we should have to do more.

Furthermore, I think that it really is a problem with base-files.
Relying on the umask set when debootstrap is run to ensure a
secure system is scary.

Matt