[pkg-fso-maint] FSO2 packaging
Timo Juhani Lindfors
timo.lindfors at iki.fi
Fri Jun 10 19:09:04 UTC 2011
Hi,
Rico Rommel <rico at bierrommel.de> writes:
> fso-gsmd
thanks for the effort. Here are some random comments.
1) There's a quite large
debian/patches/debian-changes-0.5.0+git20110411-1
that adds one valac generated file and "source/format".
That should probably be in debian/source/format? ;-)
2) I don't unfortunately know cdbs so I can't comment on debian/rules
much.
3) src/lib/phonebook.vala has
public const string PB_STORAGE_DEFAULT_STORAGE_DIR = "/tmp/fsogsmd/pb";
This looks like an insecure temporary file path? Can you comment on it?
If you grep for /tmp you see things like
src/plugins/pdp_ppp_internal/plugin.vala: ppp.set_recording("/tmp/ppp.log" );
What if a normal user adds a symlink from /tmp/ppp.log to /etc/shadow?
I know these are upstream issues but if the package has easy local root
vulnerabilities it might be difficult to get it past ftp masters?
-Timo
More information about the pkg-fso-maint
mailing list