| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 01/07/2015 04:19 PM, Jonathan Callen wrote: |
| 5 |
> On 01/07/2015 12:15 PM, Matt Turner wrote: |
| 6 |
>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs |
| 7 |
>> <williamh@g.o> wrote: |
| 8 |
>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote: |
| 9 |
>>>> 150106 William Hubbs wrote: This one is perfectly safe on a |
| 10 |
>>>> single-user system : please leave it there. |
| 11 |
>>> |
| 12 |
>>> I'm not opposed to it staying in the tree under one of these |
| 13 |
>>> conditions: |
| 14 |
>>> |
| 15 |
>>> 1) fix it and remove the mask |
| 16 |
>>> |
| 17 |
>>> or |
| 18 |
>>> |
| 19 |
>>> 2) remove the mask and add ewarns to the ebuild |
| 20 |
> |
| 21 |
>> Remove the mask that people have to see and actively disable in |
| 22 |
>> order to install the software and replace it with ewarn messages |
| 23 |
>> that they likely won't read? |
| 24 |
> |
| 25 |
>> I don't see the problem with versions with security |
| 26 |
>> vulnerabilities masked in the tree. nethack in particular has |
| 27 |
>> been masked in the tree since 2006, so we have some precedence. |
| 28 |
> |
| 29 |
> |
| 30 |
> |
| 31 |
> The only reason there is a security issue with nethack (and other |
| 32 |
> games like it) on Gentoo, and only on Gentoo, is that the games |
| 33 |
> team policy requires that all games have permissions 0750, with |
| 34 |
> group "games", and all users that should be allowed to run games |
| 35 |
> be in the "games" group. Nethack expects that it have permissions |
| 36 |
> 2755 (or 2711), with group "games" and that *no* users are members |
| 37 |
> of that group, so it can securely save files that are accessible |
| 38 |
> to all users during gameplay ("bones" files) and ensure that the |
| 39 |
> user cannot access/change their current save file. These two |
| 40 |
> expectations are incompatible with each other, and end up creating |
| 41 |
> a security issue that upstream would never expect (as no users can |
| 42 |
> be in the "games" group traditionally). |
| 43 |
> |
| 44 |
> |
| 45 |
|
| 46 |
Is Nethack's group expectation hard-coded? If not, then what's |
| 47 |
stopping nethack from using another, self-made group (like 'nethack') |
| 48 |
to arbitrate the bones files? |
| 49 |
|
| 50 |
If it *is* hard-coded, then can we produce a (hopefully simple) patch? |
| 51 |
-----BEGIN PGP SIGNATURE----- |
| 52 |
Version: GnuPG v2 |
| 53 |
|
| 54 |
iQEcBAEBAgAGBQJUrjCEAAoJEJUrb08JgYgHlQYH/RmOzRLebkffwJ3efcR7sCw7 |
| 55 |
i/CU1vBoHdyW86Us3X/PwYl47GSPKaiLTMhTnPNOtQP4wqdkHTXrG4fvQfLKP7Lg |
| 56 |
RC8EkR0kgkdBSVqJIt70Gfxu0fV0o55rOf2bYcDC+RF1HLMWNTQ/e8SkcfDmUAum |
| 57 |
EMRJnqUq3dsiIWbr/WeR27XWxlFz1Oo/jjIoGWvO6JodkZnsHbFlCalycAI1xQv5 |
| 58 |
05BecTx0FDwC1xWrdt3+UaoyrvOrIqz5mxiGM6B+WgEMU8OyURFprljX8a21WuFV |
| 59 |
RcipixJvIKvxEmbI+cC0T9bapRfA1NBW+r6nVk1wsGiJwhJ2biF2HVS+ZwN9Y34= |
| 60 |
=lEkc |
| 61 |
-----END PGP SIGNATURE----- |
Archives