Re: set of patches

To: debian-lint-maint@lists.debian.org
Subject: Re: set of patches
From: Russ Allbery <rra@debian.org>
Date: Mon, 25 Aug 2008 20:41:03 -0700
Message-id: <[🔎] 878wukjve8.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] g8ntc3$tvv$1@ger.gmane.org> (Raphael Geissert's message of "Fri\, 22 Aug 2008 21\:41\:02 -0500")
References: <[🔎] g8ntc3$tvv$1@ger.gmane.org>

Raphael Geissert <atomo64+debian@gmail.com> writes:

> Attached are the following two patches in a git-friendly mbox format:
>
> lintian_enhanced_possibly-insecure-handling-of-tmp-files-in-maintainer-script.patch:
> Requires the tmp dir name to have a name thus reducing the number of
> false positives and allowing to check for = /tmp/foo thus also
> decreasing the number of false negatives (or at least I hope it does).

> It no longer ignores mkdir as it may also suffer from attacks when the
> error is ignored, compacts the mktemp/mkstemp checks and ignores the
> line if $RANDOM is present.

I'm not comfortable with removing mkdir on the grounds that it *might* not
be error-checked.  Nearly all maintainer scripts are error-checked, which
makes mkdir safe.

This otherwise looks okay, though, so I'll apply it without that change.

> lintian_maintainer-also-in-uploaders.patch:
> Added to detect situations where the person in the Maintainer field is also
> in Uploaders.

Thanks, applied with some changes to the long tag description and the
addition of the Severity/Certainty tags.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: set of patches
  - From: Raphael Geissert <atomo64+debian@gmail.com>

References:
- set of patches
  - From: Raphael Geissert <atomo64+debian@gmail.com>

Prev by Date: [SCM] Debian package checker branch, master, updated. 1.24.4-63-g9a292ff
Next by Date: [SCM] Debian package checker branch, master, updated. 1.24.4-64-g81451d8
Previous by thread: set of patches
Next by thread: Re: set of patches
Index(es):
- Date
- Thread