Re: GNU Sharutils and security

[Bruce Korb]

Methinks not everyone knows how this stuff is used.  8-)

I know that some places use uuencode/decode to archive binary
files with anemic SCM tools that cannot cope with binary files.
(Don't flame me about the silliness of that....)

I use "shar" to collect gazillions of little test files that
can be spit out by a shell script, keeping my test areas relatively
uncluttered.  In other words, we're not using them in conjunction
with email, even if that was their genesis.  I think MIME and ftp
sites are better for distributing stuff.  Dial up UUCP connections
are long dead now; but these are still useful tools.

Karl Berry wrote:
> 
> Hmm.  ....
> 
> There was a follow-up from Stepan wondering about adding
> uuencode/uudecode to mailutils.  See the archives.
> 
> Date: Thu, 01 Jul 2004 18:45:47 +0200
> From: "Bruno Haible" <address@hidden>
> To: address@hidden
> Cc: PaulEggert <address@hidden>
> Subject: Re: GNU Sharutils and security
> 
> > Somebody out there who wants to take over the sharutils package?
> 
> Before that, maybe it's time to split that package? uuencode and
> uudecode are occasionally useful and can therefore be reasonably part of
> a distribution. However, shar and unshar being a security leak by
> design, and being obsoleted by the addition of MIME attachments to email
> protocols, I think shar and unshar shouldn't be installed on any Unix
> system by default.
> 
> It's well-known that MSIE is a trojan horse and virus downloading
> engine, but in our camp shar and unshar are similar, and we should
> address this issue.
> 
> Therefore, how about removing shar and unshar from the sharutils, or
> splitting sharutils into a useful and harmless package and a separate
> security -killer package?

Before moving uuencode/decode to new packages, it would make sense to
have better indexing that can map program names to distribution package
names.  It's often fairly difficult to figure out which package has
the program I'm interested in.

Cheers - Bruce