Control: tag -1 security On 2014-02-20 13:46, Andreas Tille wrote: > On Thu, Feb 20, 2014 at 11:47:51AM +0100, Andreas Beckmann wrote: >> On 2014-02-20 10:08, Andreas Tille wrote: >>> Hi Andreas, >>> >>> the directory is intended to be written by the world since the whole >>> world should be able to run the test suite there ... this is the purpose >>> of this package at all: Let everybody run the test (including >>> autopkgtest) and forget about the directory afterwards. >> >> This works for $everybody. But $everybody+1 finds only the leftovers >> from his predecessor there (or nothing if he cleaned up "properly"). > > Yes, this might happen. The main purpose of this package to provide > some larger chunks of data in a convinient way to run autopkgtest. This > could for sure be approached by providing (compressed) files in a > readonly dir, uncompress them to `mktemp -d` and run the tests there. > However, I do simply see no reason to put this extra effort onto the > test running machines.
I think that is the wrong goal to optimize for. If the autopkgtest scripts need a writable copy of some data files - they need to create them (which could be cp or sudo chmod). Can you run this autopkgtest twice in a row? > If human testers might test manually and somebody else has changed the > files for whatever reason - hey, the test will fail in the worst case. > That's a pity but I see no practical problem since in real life cases > people have their reason to play with the stuff and know about the > consequences. The directory contains python scripts. Everybody can replace them with them with the python equivalent of 'rm -rf $HOME' to provide fun for the next one to try them. I absolutely disagree to losing the ability to trust that content shipped in Debian packages can only be modified with root privileges. Andreas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org