[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UDD bugs stale?

On 19/03/12 at 12:12 -0700, Don Armstrong wrote:
> On Mon, 19 Mar 2012, Lucas Nussbaum wrote:
> > I kind-of fail to see the point. If I run a script as user 'lucas',
> > I of course expect it to be run as user 'lucas', and I need to trust
> > the code to some level. How is that different with debbugs ?
> 
> It's only different with the configuration file when
> DEBBUGS_CONFIG_FILE is set. If the configuration file is installed in
> /etc/debbugs/config, it doesn't check for the UID to match.
> 
> The main idea was to avoid YA environmental variable that could be
> used as a means to execute code that hadn't been checked previously...
> and honestly, I didn't expect anyone to be using it to run a
> configuration file stored in an arbitrary location. [I primarily
> intended it to be used during testing.]

I see. In our case, we use it to point to
/org/bugs.debian.org/etc/config, since that's where our local mirror
lives. Maybe you could make this path part of the "search path" for
this config file, which would remove the need for the env variable?

Lucas
Reply to: