On Sunday, 26 April 2020 9:25:06 AM AEST Ximin Luo wrote: > The source code doesn't mention any particular reason, and one person on > the upstream bug report mentions it in such an off-the-cuff and > non-explanatory way I can't take it into account as a serious data point. > We shouldn't just let a mere mention of "security" scare us into not > touching stuff and using our own reasoning to fix bugs. > > And I *did* think about the possible security considerations, as I > explained in my previous email, and derived my suggested patch based on > these considerations. (FWIW, I have done and am doing various types of > security work professionally, and I'm confident about this type of > reasoning in general.)
Did you consider the possibility of users having a mix of packaged and non- packaged extensions? I think it is reasonable to contain/sandbox extensions to prevent peeking to various file system locations through symlinks. Once Firefox is patched to allow symlinks, the threat might be from malicious symlinks in non-packaged extensions. > This is static linking, and in Debian we generally avoid doing that. I am > not saying you shouldn't do it for your package, but we also shouldn't shy > away from fixing infrastructural situations that force us into it. Yes, valid. I agree. :) -- Regards, Dmitry Smirnov. --- Censorship is always cause for celebration. It is always an opportunity because it reveals fear of reform. It means that the power position is so weak that you have got to care what people think. -- Julian Assange
signature.asc
Description: This is a digitally signed message part.