-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Okay, in revision 33040 dfranke removed PythonAI support from Wesnoth. That is in 1.6 *no* Python is available ingame at all. Python is still used for several "external" tools (like eg wmllint and many others), but the game itself will not rely on Python at all. This should be enough security to basically solve CVE-2009-0367 in the upcoming stable series.
For the moment we can only recommend to *NOT* activate python when compiling a 1.4.x binary. All distributions should keep this in mind, since it is basically the easiest workaround of those problems. Beside this the diff from revision 33013 [1] is required to have the campaign DiD still working. In general our addon server for 1.4.x will not send anything python related that the game can make use of, but users can of course copy the stuff in from "anywhere in the depths of the net", so the only way to be secure is to deactivate python support all together! For later releases (post the 1.6 stable branch) we will have to see how we handle scripting support in Wesnoth. Cheers, Nils Kneuper aka Ivanovic [1]http://svn.gna.org/viewcvs/wesnoth?rev=33013&view=rev -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmiwGkACgkQfFda9thizwVIUgCfbyW0wMkRwUQazK/XFQbVXrwL 9KMAmQH7GoEoy8i+ls+NYvj1P5j25Gn9 =M1SK -----END PGP SIGNATURE----- _______________________________________________ Wesnoth-dev mailing list Wesnoth-dev@gna.org https://mail.gna.org/listinfo/wesnoth-dev