On Wed, 13 Apr 2005 07:34:31 +0200 Christian Perrier <[EMAIL PROTECTED]> wrote:
> Quoting Tim Dijkstra (tdykstra) ([EMAIL PROTECTED]): > > > All this unasked for. A maintainer script has no business messing > > around with peoples data! > > It does not. It *adds* a xxx.update.gw file along with the found > xxx.gwb file. It tries to give this file the same owner/group than the > former file, and chmod it to preserve privacy. > > > > > I can see the point in updating the databases in the dir owned by > > geneweb (/var/lib/geneweb), but messing around random files on the > > filesystem is not something a maintainer script should do. > > I was stupid enough to have a drive mounted r/w with backups on > > them, which now are also nicely updated... > > geneweb does not change *.gwb files Ah, sorry. I read the code wrongly, and misinterpreted the modification time of the files, which was what I checked. But still... > So, I understand you may object to this piece of code because, yes, it > deals with users files and is likely to write on places where user > data are. So, for that reason, I may consider commenting the relevant > code because it may be easily interpreted as non policy compliant. I agree to this, a maintainer-script shouldn't just write on random places on the filesystem. For instance, looking a bit better at the code, I think it has a serious security problem. What if a malicious would do the following: touch mydata.gwb ln -s /sbin/init mydata.update.gw > Of course, tagging the bug grave while we are so close of a release is > a way to force me taking the only measure I can safely take hereÂ: > comment out the code which EXPORTS user data. Because this is the only > safe solution I have, indeed. Don't take it personally, I was just pissed some maintainer script was writing to my precious backups... Maybe an alternative to removing the code entirely is to drop the converted files in a dir under /var/backup and tell the admin it can find updated files there. You should do some careful temporary file creation there. grts Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
