[Secure-testing-team] [Secure-testing-commits] r12708 - data/CVE
Michael S Gilbert
michael.s.gilbert at gmail.com
Sun Aug 30 20:31:56 UTC 2009
On Sun, 30 Aug 2009 21:40:11 +0200 Moritz Muehlenhoff wrote:
>
> > oh, and wouldn't a "complete" fix for an embedded code copy involve a
> > patch that strips the embedded code from the debian source package?
> >
> > maybe this isn't the current state of play, but we should probably push
> > for this.
>
> Absolutely not, this is a very intrusive packaging step and only needed
> when dealing with non-distributable content.
i meant that the patch should minus ('-') out the embed, but leave the
<source>.orig.tar.gz untouched.
this makes it 100% certain that the embed is not happening; whereas, if
the embed code remains, there is always the possibility of someone
coming along and making a change that ends up using the embed code
without realizing what they did (and more importantly probably not
notifying anyone), and since the embed code is there, and their code
works, it seems ok. minusing out the embedded code would make this
impossible.
it also makes it 100% clear which embeds have and have not been dealt
with.
mike
More information about the Secure-testing-team
mailing list