[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Handling ‘file’ CVE
From: |
Mark H Weaver |
Subject: |
Re: Handling ‘file’ CVE |
Date: |
Thu, 13 Nov 2014 13:03:53 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) |
address@hidden (Ludovic Courtès) writes:
> address@hidden (Ludovic Courtès) skribis:
>
>> What about this other option: make another public package, ‘file-5.20’,
>> next to ‘file’, such that when a user explicitly installs ‘file’, they
>> get the new one?
>
> I ended up taking that route, in commit 310081e.
FWIW, I think it would be better for 'file' to be bound to the fixed
package, and to add a 'file/fixed' that points to the old buggy one.
Then 'file/fixed' could be used in some selected places.
'file' is used as a plain input (as opposed to native-input) in several
places that make me a bit nervous, e.g. the 'transmission' bittorrent
client (is 'file' being used at runtime on downloaded files?), and also
'aegis', 'quilt', and 'cmake'.
Finally, 'file' is a propagated-input for 'intltool', which means that
if anyone installs 'intltool' in their profile, they will have the buggy
'file' in their PATH.
Regards,
Mark