Re: Too many Recommends (in particular on mail-transport-agent)
On Tue, Jun 06, 2017 at 11:29:20PM +0200, Michael Biebl wrote:
> Am 06.06.2017 um 15:55 schrieb Adam Borowski:
> > gvfs: atril easytag thunar
> > * BAD: gvfs is a major annoyance and a security hole
> "Annoys Adam Borowski" is not a very convincing argument.
For the first part, it indeed varies by use case. I don't recall ever using
an USB or SD attached storage for "data" in an Unix machine, yet I have two
SD readers, four cards and one USB stick on my desk right now despite having
cleaned the desk a few days ago. It's just always a "disk" for some SoC
or bootable media (d-i, etc).
Some people may disagree.
> As for "security hole", I'm not sure what exactly you have in mind there.
> I don't see any open CVEs or bugs tagged with security against gvfs.
I found a security hole in the vfat driver as an idiot kid ~20 years ago,
before I even started using Linux myself. That particular filesystem is
simplicistic enough to _possibly_ be exploitable bug free by now, but as a
btrfs@vger regular, I hear about enough unintentional corruption caused
failures that I see no way the filesystem could be secured against a
malicious image without an extreme effort that would also destroy
performance. And that's a maintained filesystem. We do, in our default
kernel, ship drivers for so many obscure filesystems no one has used for
years that I'm 100% certain you can find an arbitrary code execution bug
triggerable by just mounting such an untrusted USB stick.
⢀⣴⠾⠻⢶⣦⠀ A tit a day keeps the vet away.
⢿⡄⠘⠷⠚⠋⠀ (Rejoice as my small-animal-murder-machine got unbroken after
⠈⠳⣄⠀⠀⠀⠀ nearly two years of no catch!)