Bug#687617: [pre-approval] unblock: openarena with "really auto-download?" prompt
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
The ioquake3 engine has an option to auto-download missing maps, mods etc.
(PK3 files) from multiplayer servers. It is off by default, but many users
and mod communities encourage switching it on, since it makes playing on
modified or updated multiplayer servers considerably more straightforward.
Switching it on is a security risk, because PK3 files can also contain
executable bytecode: it's executed in a sandbox, but that sandbox is
unlikely to be perfect.
In tremulous, an old fork of ioquake3 which hadn't had the benefit of some
more recent ioquake3 work on hardening the sandbox environment, I turned off
auto-downloading entirely.
When I suggested[1] doing the same to ioquake3, which would affect openarena
in main and quake3 in contrib), unanimous feedback from users and the Games
Team was that they would prefer an "are you sure?" prompt when auto-downloading
was enabled. This moves the change from ioquake3 to openarena, since it's
openarena that provides the user interface.
Would the Release Team be OK with unblocking an openarena package that
added such a prompt? The change would look something like [2],
which I just uploaded to experimental. I'm hoping others in the Games Team
can improve the wording/display before this reaches unstable or testing.
Quake III Arena doesn't have UI for the auto-downloading option. I'm going
to assume that anyone who enables it using console commands knows what
they're doing...
Regards,
S
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686648
[2] http://anonscm.debian.org/gitweb/?p=pkg-games/openarena.git;a=commitdiff;h=eed3e6469368c38276d2d79abae89f81d881fb71
Reply to: