[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: not hardwiring gpg
|
From: |
Jim Meyering |
|
Subject: |
Re: not hardwiring gpg |
|
Date: |
Tue, 18 Dec 2007 16:51:33 +0100 |
Ralf Wildenhues <address@hidden> wrote:
> Hello Jim, Karl,
>
> * Jim Meyering wrote on Tue, Dec 18, 2007 at 03:36:27PM CET:
>> address@hidden (Karl Berry) wrote:
>> > Will you accept this change from Jim Meyering to gnupload?
>> > (Until now we have copied the gnulib gnupload from automake.)
>>
>> Thanks for forwarding that, Karl.
>> I didn't know gnulib's gnupload file came from elsewhere.
>> FYI, rationale + ChangeLog entry are here:
>>
>> http://article.gmane.org/gmane.comp.lib.gnulib.bugs/12211
>>
>> If no one objects, I'll push this in automake, too.
>
> I don't object, but your change would do good with a small explanation
> to refute Gary's argument for the commit in Automake that added the full
> name in the first place, <5176801c82cc0ea98b344260b4accf4cab08a0e3>, see
> <http://thread.gmane.org/gmane.comp.gnu.libtool.patches/1533/focus=1546>.
Hi Ralf,
If the hypothetical cracker ever gets in to my (or any developer's) system
with sufficient privilege to modify the contents of directories in my PATH
(or change my PATH altogether), they can already compromise my development
work in so many ways that using such absolute names in gnupload
gives reduced functionality with no added security.
I thought this was common knowledge, along with the "don't hard-code
file names" dictum, but if you still think it's worth a comment in
the code, I'll add one.