Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Jason Fergus
On Thu, 2012-12-13 at 19:55 -0500, Michael Gilbert wrote: > On Wed, Dec 12, 2012 at 11:41 PM, Jason Fergus wrote: > > On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote: > >> On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: > >> > What is Debian policy on code execution from user websites?

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Michael Gilbert
On Wed, Dec 12, 2012 at 11:41 PM, Jason Fergus wrote: > On Wed, 2012-12-12 at 17:26 -0500, Michael Gilbert wrote: >> On Wed, Dec 12, 2012 at 12:52 PM, adrelanos wrote: >> > What is Debian policy on code execution from user websites? >> >> Unfortunately there is none. I've tried to gain consensus t

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Jordon Bedwell
On Thu, Dec 13, 2012 at 1:47 PM, Davide Prina wrote: > On 12/12/2012 23:26, Michael Gilbert wrote: >> Ultimately, for anyone even modestly >> security-conscious adobe flash should really be avoided at all costs. > +1 > I'm not an expert, but I think that packages like this must first ask the > use

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Davide Prina
On 12/12/2012 23:26, Michael Gilbert wrote: Ultimately, for anyone even modestly security-conscious adobe flash should really be avoided at all costs. +1 I'm not an expert, but I think that packages like this must first ask the users list on which you want this plugin installed and than execu

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Ansgar Burchardt
Mike Mestnik writes: > The link($1) can't contain a ", but a few others(I.E ') should be added > to this list and use... > open INPUT, "wget --user-agent=\"$user_agent\" -qO - \"$url\" |" or die; > or > open INPUT, "wget --user-agent='$user_agent' -qO - '$url' |" or die; Using the three-or-more a

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Mike Mestnik
On 12/12/12 13:10, Henrik Ahlgren wrote: > On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote: >> Since get-upstream-version.pl runs as root it can do anything. >> >> I don't accuse him personally for anything. But should he ever be >> compromised (forced, evil maid, etc...) it's very easy t

Re: flashplugin-nonfree get-upstream-version.pl security concern

2012-12-13 Thread Mike Mestnik
On 12/12/12 12:02, Moritz Mühlenhoff wrote:> On Wed, Dec 12, 2012 at 05:52:31PM +, adrelanos wrote: >> Hi, >> >> I do not want to discuss security implications of the upstream closed >> source Adobe Flash plugin. This is about how the Flash plugin is >> downloaded and installed in Debian. >> >>