Re: rdflib / CVE-2019-7653
Brian May wrote:
> > Hm, does this not still omit the rationale for the non-trivial changes
> > to the build system? Or at least it doesn't make the connection very
> > obvious to someone installing the package.
>
[…]
> + * CVE-2019-7653: The Debian package had a custom wrapper that can load
> + Python modules from the current working directory, allowing code
> injection.
> + This is because "python -m" looks in this directory. This version uses
> the
> + easy_install provided scripts instead of our our custom scripts.
>
> If this is not sufficient, can you suggest something better?
Something that at least references why the build/runtime moves to
Python 3.x (or whatever). Running out of ways to try and explain
this angle. :)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: