Hi Andreas and everybody, while drafting the IANA registration for the machine-readable Debian copyright format, I had to consider and describe security implications, and realised that in the case of the Files-Excluded field, the contents of the field are directly executed. One can imagine scenarios where an attacker inserts in that field some code that will cause uscan to send the developer's GPG or SSH private keys to a remote address, etc. This can of course be corrected in uscan, but it leads me to wonder if the copyright file should be kept as declarative as possible.
This would mean that the fileds that are not only informative, but that are also intended to control how a program is executed, like Files-Excluded, would rather be placed in more specialised configuration files. For instance, one could think a format revision 4 for debian/watch, that would use exactly the syntax that you are implementing now, and that would embed the watch information in a Watch field. This would not completely solve security issues for debian/copyright, as one can also imagine that some programs looking for files in the Files field may also pass the values witout sanitisation to some shell commands. However, I wonder if it would not be better to keep it as declarative as possible. What do you think ? -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120906234436.ga7...@falafel.plessy.net
