On 03/07/2015 04:02 PM, William Stein wrote: > On Thu, Mar 5, 2015 at 2:14 PM, Volker Braun <vbraun.n...@gmail.com> wrote: >> As usual, get the "develop" branch or the source tarball from >> http://www.sagemath.org/download-latest.html > > Built on Ubuntu 14.10 64-bit with no trouble. "make ptestlong" > resulted in a bunch of files with "1 doctest error", due to this sort > of new repeated security warning: "UserWarning: > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/.sage//.python-eggs is > writable by group/others and vulnerable to attack when used with > get_resource _filename. Consider a more secure location (set with > .set_extraction_path or the PYTHON_EGG_CACHE environment variable)."
This is http://trac.sagemath.org/ticket/17875 (already fixed). > I don't know what produces that warning, but it is annoying. Isn't it > also wrong? -- I think that directory is _not_ vulnerable to attack > (see perms below) because: > > (1) the group for that directory is the user (which is standard on > Linux, btw, but not other os's) and Well, obviously checking which users belong to the file's group would be too expensive. > (2) moreover, the containing directory (and its parent too) are both > locked down. Same for that. -leif > Where does this new wrong security check come from? I understand > making security warnings too sensitive by default. However, this one > is way too sensitive to me. People are going to be getting this > warning left and right all over the place, when it is completely not > founded. If this doesn't get addressed (or I'm convinced otherwise), > I would definitely not feel right if I don't patch this warning out of > any version of Sage I distribute (e.g. the one in SageMathCloud). > > Some output: > > /scratch/wstein/sage-6.6.beta3$ ./sage -t --long --warn-long 44.1 > src/sage/dynamics/interval_exchanges/iet.py > Running doctests with ID 2015-03-07-14-52-36-62bd97ff. > Git branch: develop > Doctesting 1 file. > sage -t --long --warn-long 44.1 src/sage/dynamics/interval_exchanges/iet.py > ********************************************************************** > File "src/sage/dynamics/interval_exchanges/iet.py", line 37, in > sage.dynamics.interval_exchanges.iet > Failed example: > T.plot_two_intervals() > Expected: > Graphics object consisting of 12 graphics primitives > Got: > doctest:1224: UserWarning: > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/.sage//.python-eggs is > writable by group/others and vulnerable to attack when used with > get_resource > _filename. Consider a more secure location (set with > .set_extraction_path or the PYTHON_EGG_CACHE environment variable). > Graphics object consisting of 12 graphics primitives > ********************************************************************** > 1 item had failures: > 1 of 13 in sage.dynamics.interval_exchanges.iet > [154 tests, 1 failure, 2.60 s] > ---------------------------------------------------------------------- > sage -t --long --warn-long 44.1 > src/sage/dynamics/interval_exchanges/iet.py # 1 doctest failed > ---------------------------------------------------------------------- > Total time for all tests: 2.8 seconds > cpu time: 2.6 seconds > cumulative wall time: 2.6 seconds > /scratch/wstein/sage-6.6.beta3$ ls -lhtd > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/ > drwx------ 25 4cff879841d04d9bb516ba106ba89c57 > 4cff879841d04d9bb516ba106ba89c57 60 Mar 7 14:52 > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/ > /scratch/wstein/sage-6.6.beta3$ ls -lhtd > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/.sage > drwx------ 26 4cff879841d04d9bb516ba106ba89c57 > 4cff879841d04d9bb516ba106ba89c57 35 Mar 7 14:52 > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/.sage > /scratch/wstein/sage-6.6.beta3$ ls -lhtd > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/.sage/.python-eggs > drwxrwx--- 4 4cff879841d04d9bb516ba106ba89c57 > 4cff879841d04d9bb516ba106ba89c57 4 Sep 10 16:11 > /projects/4cff8798-41d0-4d9b-b516-ba106ba89c57/.sage/.python-eggs -- You received this message because you are subscribed to the Google Groups "sage-release" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-release+unsubscr...@googlegroups.com. To post to this group, send email to sage-release@googlegroups.com. Visit this group at http://groups.google.com/group/sage-release. For more options, visit https://groups.google.com/d/optout.
