Bug#683184: RFS: suckless-tools/39-1 [ITA]
* Vasudev Kamath <kamathvasudev@gmail.com>, 2012-07-30, 21:56:
It doesn't look like it's suitable for wheezy, so please make it
s/unstable/experimental/.
Done! When it should be moved to unstable? After wheezy release?
Yes, after wheezy is released.
+-$ $(tabbed -d >/tmp/tabbed.xid); urxvt -embed $(</tmp/tabbed.xid);
++$ $(tabbed \-d >/tmp/tabbed.xid); urxvt \-embed $(</tmp/tabbed.xid);
If you're fixing this, please also fix the security hole (insecure use
of temporary files).
Done too
So it's now:
TMPFILE=$(mktemp \-\-tmpdir tabbedxid.XXX);$(tabbed \-d > ${TMPFILE});urxvt \-embed $(<${TMPFILE})
which is certainly better from security perspective, but not necessarily
from usability one. I think the reason for storing xid in a file with
predictable name was that it allowed you to connect more than one urxvt
to the same tabbed. So I think that:
1) TMPFILE is a bad variable name for this purpose;
2) you could have saved one level of indirection by storing "tabbed -d"
output directly into the variable (rather than into temporary file);
3) perhaps it would make more sense to use a file somewhere in $HOME.
+ @cd /tmp
+ @tar -cvf - suckless-tools_$(CURRENT_VERSION) 2> /dev/null | gzip -9 > ../suckless-tools_$(CURRENT_VERSION).orig.tar.gz
+ @rm -rf /tmp/suckless-tools_$(CURRENT_VERSION)
This creates temporary files insecurely.
Fixed.
I see you did this:
get-orig-source: TMPDIR :=$(shell (mktemp --tmpdir -d suckless-tools.XXXX))
It looks like a nice hack, but... it will create a temporary directory
every time debian/rules is run (not only for the get-orig-source
target).
Instead of pushing new package to mentors I've pushed my changes to
collab-maint repository [1] Hope that is fine with you if not let me
know
[1] git.debian.org:/git/collab-maint/suckless-tools.git
That's okay.
--
Jakub Wilk
Reply to: