Bug#663104: pu: package tremulous/1.1.0-7~squeeze1 (contrib)
On Sun, 2012-03-18 at 22:17 +0000, Simon McVittie wrote:
> On 18/03/12 15:58, Adam D. Barratt wrote:
> > Specifically, this not only disables auto-downloading but prevents users
> > from turning it back on should they so wish. I assume the logic here is
> > that there may still be security issues lurking which involve untrusted
> > content and just haven't been found yet?
>
> That, but more so: auto-downloading is known (or at least strongly
> suspected) to be unsafe. Auto-downloaded PK3 files can contain
> executable bytecode to be run by a JIT compiler or interpreter, and the
> sandboxing used in Quake III Arena (and hence Tremulous and early
> ioquake3 versions) is rather lacking - it seems to have been designed
> for robustness against coding mistakes, but not against malicious bytecode.
Thanks for the explanation, and apologies for the delay in getting back
to you again; please feel free to go ahead with the upload.
Regards,
Adam
Reply to: