[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] General Resolution to deploy tag2upload

Ansgar 🙀 <ansgar@43-1.org> writes:

> Okay, so we have to accept a path into the archive that is known to
> accept malicious uploads that would have been rejected by dak so maybe
> that path will be changed later? I don't see that happening given all
> suggestions to change this have been rejected, even when fairly simple
> to implement.

This is not known.  You have asserted this, and then come up with
increasingly implausible excuses for why you cannot clearly explain wtf
you are talking about.

It's entirely possible that there are security bugs in the current
tag2upload implementation, just like it's entirely possible that there are
security bugs in dak and in any other piece of software.  The way we deal
with those, now and in the future, is that someone explains what the
security bug is and then we see if we can fix it.

Given the number of factual errors in your previous posts to this thread
and your refusal to provide any detail about the security vulnerabilities
that you believe exist, I simply do not trust that your assertions are
true without something concrete that I can understand.  If you want me to
take your assertions seriously, you're going to have to show your work.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
Reply to: