>>>>> "Sebastien" == Sebastien Chaumat <schaumat@debian.org> writes: Sebastien> Hi, This a real example : Sebastien> The xbill package contains : Sebastien> /usr/share/gnome/help/xbill/C/xbill.xml Sebastien> In this file the DTD is refered by an absolute external link Sebastien> : Sebastien> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML Sebastien> V4.1.2//EN" Sebastien> "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"; That is necessary for a DocBook file. Sebastien> Thus : scrollkeeper-update blindly connect to Sebastien> www.oasis-open.org to get the docbookx.dtd. Sebastien> I can trust signed debian packages but I can't trust Sebastien> www.oasis-open.org. DTDs cannot introduce any vulnerabilities (unless the XML parser is horribly buggy). The worst that can happen is that the file doesn't validate, and scrollkeeper complains. Sebastien> More than 18 files in /usr/share/gnome/help/ induce this Sebastien> download. Sebastien> I'am about to make bug report against scrollkeeper (for Sebastien> acting blindly, and dowloading the same file more than once) IMHO, the severity of such a bug would be at most "wishlist". Sebastien> and against packages that provides the xml files (for using Sebastien> external DTD instead of provinding it)... It should not be providing the DTD. At most, it should depend on docbook-xml, which provides the DTD, although I would suggest making it a "Recommends" rather than "Depends". AFAIK, if docbook-xml is installed, scrollkeeper will use the local copy, rather than fetching it over the network. (If not, this should be another wishlist bug.) (Hmm. On my system (sid), scrollkeeper already depends on docbook-xml.) -- Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Attachment:
pgpO27ZlVflYz.pgp
Description: PGP signature