OoO Pendant le temps de midi du samedi 16 août 2008, vers 12:36, Sven
Dowideit <SvenDowideit@home.org.au> disait :
> frustratingly, I'm not a DD
> and Worse. I have an emergency update to TWiki for a security issue that
> needs fixing for Lenny, but I have no DD to help me upload it
> Anyone here willing to do a quick package upload of TWiki in the next
> day?
Hi Sven!
I would be happy to upload your fix but I disagree with it. As pointed
by Olivier at the end of the bug report, /tmp can be flushed at boot or
by some cronjobs. Therefore, you cannot ensure that the twiki directory
still exists when twiki will be running.
I cannot give an universal solution, but in Roundcube, we use
/var/lib/roundcube/temp and we provide a cron job that will clean it
every m days where <m> can be set by the user in /etc/default/roundcube
(and I just noticed that this is broken... will upload a fix). This way,
we don't fill up /var but we don't rely on anything in /tmp. Moreover,
we don't have to handle a complex script in postinst to circumvent
symlinks attacks.
The problem with webapps is that we don't have a clear policy of what to
do. You can just look at other packages, like phpmyadmin, mediawiki,
etc. Each attempt to establish a webapps policy seems to be aborted.
--
Make sure all variables are initialised before use.
- The Elements of Programming Style (Kernighan & Plauger)
Attachment:
pgp6eoIm77bCS.pgp
Description: PGP signature