LKML Archive on
help / color / mirror / Atom feed
From: (David Wagner)
Subject: Re: R: Linux kernel source archive vulnerable
Date: Wed, 13 Sep 2006 06:59:31 +0000 (UTC)	[thread overview]
Message-ID: <ee8a8j$gf7$> (raw)
In-Reply-To: <>

Kyle Moffett  wrote:
>No, git-tar-tree is storing the desired permissions (0666 and 0777)  
>in the tar archive.  This is not a bug, those are actually the  
>permissions we want in the tar archive.

Those may be the permissions *you* want, but they're not the permissions
I suspect many users would prefer.  Take a look at any open-source
project that ships tar archives of their source code.  Do they ship
tarballs of their source code where all the files have 0666 permissions?
Not in my experience.  That should tell you something.

Telling me that this is "by design" is not a very persuasive response
when my claim is that the design is poorly chosen.

>No, it is user-friendly.  This is like distributing programs who use  
>open(..., 0666) when opening globally-readable files.

It's not the same.  There's a reason that most other open-source
projects are careful not to distribute 0666 files in their tar archives.

>o   Do *not* extract kernel trees as root

I don't see anything unreasonable about extracting tarballs from a
trusted source as root (unless, of course, the folks who put together
the tarballs are malicious or careless or can't be trusted).

I don't see any good justification for this other than that the
maintainers of git-tar-tree can't be bothered to store more reasonable
permissions in the tar archive.  It smells like a workaround that is
designed to make the lives of the git-tar-tree programmers easier --
but at the cost of making users lives a little harder.  That's what I
mean when I said that this decision doesn't seem very user-friendly.

  reply	other threads:[~2006-09-13  6:59 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
     [not found] ` <D432C2F98B6D1B4BAE47F2770FEFD6B612B8B7@to1mbxs02.replynet.prv>
2006-09-11 18:29   ` Jon Lewis
2006-09-12  5:06     ` Kyle Moffett
2006-09-12  5:27       ` Willy Tarreau
2006-09-12 19:42       ` R: " David Wagner
2006-09-12 20:35         ` linux-os (Dick Johnson)
2006-09-12 21:35           ` David Wagner
2006-09-12 22:56             ` Rene Scharfe
2006-09-13  1:17               ` David Wagner
2006-09-13  4:33                 ` Willy Tarreau
2006-09-13  5:34                   ` David Wagner
2006-09-13  6:17                     ` Kyle Moffett
2006-09-13  6:26                       ` David Wagner
2006-09-13  6:49                         ` Kyle Moffett
2006-09-13  6:59                           ` David Wagner [this message]
2006-09-13  8:12                             ` Kyle Moffett
2006-09-14 22:38                               ` David Wagner
2006-09-15  7:28                                 ` Stefan Richter
2006-09-13 10:45                         ` Martin Mares
2006-09-13 11:13                           ` Jan Engelhardt
2006-09-13  6:26                       ` Jan Engelhardt
2006-09-13 19:49                         ` Willy Tarreau
2006-09-13  8:51                 ` Stefan Richter
2006-09-14 23:04                 ` Bill Davidsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='ee8a8j$gf7$' \ \ \ \
    --subject='Re: R: Linux kernel source archive vulnerable' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).