Re: List of bugs that *must* be fixed before releasing Slink
> Previously Brian White wrote:
> > apache 32204 user directories allow symlinks to other files  (Johnie Ingram <email@example.com>)
> We should just force SymLinksIfOwnerMatch for /home to solve this.
You know, I don't see this as "grave". It means that a user can
effectively "export to the world" any file readable by www-data. In
general, this means only things that can be read by public. So,
the user can't intentionally export anything that he/she couldn't already
do by other means.
The problem comes with unintentional exports... Well, it's a bug. I
don't see it as being a security hole. Thoughts?
> > dpkg 28817 dpkg takes no care over libdpkg  (Ian Jackson and others <firstname.lastname@example.org>)
> It's important but I wouldn't call this one release-critical.
I looked at that one time, but I wasn't sure. Is it possible that during
an upgrade to "stable" we get dpkg and dpkglib to be out-of-step?
> > dpkg 30891 dpkg: Patch for update-alternatives to fix jdk problems  (Ian Jackson and others <email@example.com>)
> > dpkg-dev 31508 parsechangelog broken?  (Ian Jackson and others <firstname.lastname@example.org>)
> I fixed these two in 220.127.116.11. I didn't close the bugs because I still
> need to fix them for the dpkg in potato.
You can downgrade them if you wish.
> > fileutils 31717 fileutils: 'mv regularfile symlink' problems  (Galen Hazelwood <email@example.com>)
> Only in potato; looks like Brian forgot to add this one to his
> exclusion-list again
> > ftp.debian.org 32364 ftp.debian.org: please remove filters from stable/frozen  (Guy Maor <firstname.lastname@example.org>)
> filters is no longer in frozen, so this can be excluded as well.
Done. Excludes list is now:
> > general 28850 gettext: security problem when used in setuid programs  (email@example.com)
> Everyone who has a package with a setuid program or something that runs
> as root should check if it uses gettext, and if so recompile it with
> the latest gettext installed. Please not that this is not necessary for
> programs that use the gettext from libc6.
That needs to be re-filed against all those packages, then.
( firstname.lastname@example.org )
You can't talk yourself out of problems you behave yourself into.