Re: [Bug-tar] --rsh-command default

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-tar] --rsh-command default

From:	Solar Designer
Subject:	Re: [Bug-tar] --rsh-command default
Date:	Sun, 21 Mar 2010 11:50:06 +0300
User-agent:	Mutt/1.4.2.3i

Sergey,

This is in addition to my previous response.  We have decided to make
this change in Owl anyway, and in fact we already made it:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/tar/

(it's tar-1.23-owl-rsh-command.diff right now).

In case you find it convincing, this change (making --rsh-command have
no default) is consistent with the behavior of cpio, which has an option
by the same name (without a default).  So right now tar's behavior is
inconsistent with cpio's, and we're proposing to make it consistent (and
this is also desirable for security).

I proposed:
> In light of CVE-2010-0624, I'd like to propose a change of default for
> tar.  Specifically, how about changing the --rsh-command option to have
> no default?

Alexander

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] --rsh-command default, Solar Designer, 2010/03/19
- Re: [Bug-tar] --rsh-command default, Sergey Poznyakoff, 2010/03/19
  - Re: [Bug-tar] --rsh-command default, Solar Designer, 2010/03/19
  - Re: [Bug-tar] --rsh-command default, Solar Designer <=

Prev by Date: [Bug-tar] tests/extrac07.at
Next by Date: [Bug-tar] [GNU tar 1.23] testsuite: 91 failed
Previous by thread: Re: [Bug-tar] --rsh-command default
Next by thread: [Bug-tar] I: tar-1.23 SIGPIPE regression
Index(es):
- Date
- Thread