[Group.of.nepali.translators] [Bug 1815237] Re: stop shipping "update-pciids" in /usr/sbin

[Jay Vosburgh]

** Also affects: pciutils (Ubuntu Precise)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1815237

Title:
  stop shipping "update-pciids" in /usr/sbin

Status in pciutils package in Ubuntu:
  In Progress
Status in pciutils source package in Precise:
  Invalid
Status in pciutils source package in Trusty:
  In Progress
Status in pciutils source package in Xenial:
  In Progress
Status in pciutils source package in Bionic:
  In Progress
Status in pciutils source package in Cosmic:
  In Progress

Bug description:
  [Freenode #ubuntu-release discussion]

  [13:51:02] <slashd> vorlon, I also puzzle what would be the good practice, 
SRU an update of pci.ids or leave the user the decision to use update-pciids 
which does it automatically
  [13:52:13] <infinity> slashd: That second option isn't a great one, for many 
reasons.
  [13:52:21] <vorlon> slashd: ^^ I concur
  [13:52:55] <infinity> slashd: The two that come to mind is (a) it alters a 
dpkg-managed file in /usr/share and (b) it's an entirely unchecked random 
download over http.
  [13:53:17] <infinity> In fact, I'm a bit shocked we even ship that script at 
all, or haven't at least neutered it in some way.
  [13:54:40] <infinity> That's just begging for an injection attack where 
intentionally-corrupted pci.ids data exploits something goofy in a library that 
reads it.
  [13:55:00] <slashd> infinity, good point
  [13:56:05] <infinity> If we were to give that as an option, we'd need to 
alter the script (and things that read that data) to use a second user-writable 
location in /var, and we'd need upstream to provide a signed/verifiable source 
we can pull from.
  [13:56:23] <infinity> But I think "stop shipping the script on the PATH" is a 
saner plan.
  [13:58:26] <infinity> slashd: Maybe get some input from someone like mdeslaur 
or sarnold to see if they think I'm being overly paranoid, but I think having a 
script on path that downloads random junk over http and slams it in a file in 
/usr/share that gets read by dozens of other binaries is pretty sketchy.
  [13:58:40] <infinity> slashd: So I'd be +1 on just nuking it.
  [13:59:08] <slashd> infinity, ack will try to have a ACK for security team as 
well, but sound like a good plan
  [13:59:14] <infinity> slashd: Or moving it to /use/share/doc/pciutils/examples
  [14:00:23] <slashd> infinity, vorlon ok thanks a lot for your help
  [14:00:28] <mdeslaur> oh ew ew ew ew
  [14:01:01] <mdeslaur> yeah, moving it to examples would be a good idea
  [14:01:21] <slashd> mdeslaur, ack tks

  SRU team: +1
  Security team: +1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pciutils/+bug/1815237/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to     : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp