Re: How to cope with patches sanely
- To: email@example.com
- Subject: Re: How to cope with patches sanely
- From: Florian Weimer <firstname.lastname@example.org>
- Date: Fri, 29 Feb 2008 21:30:16 +0100
- Message-id: <[🔎] email@example.com>
- In-reply-to: <firstname.lastname@example.org> (Ben Finney's message of "Thu, 31 Jan 2008 23:51:05 +1100")
- References: <email@example.com> <20080129014103.GA16484@scowler.net> <20080130172152.GA20648@kodama.kitenet.net> <firstname.lastname@example.org> <email@example.com>
* Ben Finney:
> It's no security risk to unpack a tarball, apply a patch to it via GNU
> 'patch', and examine the result.
History should tell you that this is not true. 8-) I can even understand
people who state that GNU tar should never be used to uncompress
tarballs from untrusted sources, and we therefore do not need to provide
security support for it, but this is going a bit too far for my taste.
But my point really is: Please do do not use potential security issues
as arguments. The overall situation is sufficiently bad that this can
be used to prove *anything*.