1 |
On Sat, Jul 25, 2020 at 08:05:14PM -0400, Rich Freeman wrote: |
2 |
> On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard <kumba@g.o> wrote: |
3 |
> > |
4 |
> > This seems like something that needs a news entry, or |
5 |
> > at least a "heads up" on the mailing list? |
6 |
> |
7 |
> Definitely not a "heads up" on the mailing list - that is not an |
8 |
> appropriate way to communicate anything to users - not even devs are |
9 |
> required to read this list. |
10 |
> |
11 |
> The two appropriate ways to communicate something like this are |
12 |
> einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point |
13 |
> to a substitute, and I'd suggest one myself if I were aware of one... |
14 |
|
15 |
Just to have this information here for easy access, this is upstream's |
16 |
response from that bug's URL [1]. They recommend "rsync or something else": |
17 |
|
18 |
The scp command is a historical protocol (called rcp) which relies |
19 |
upon that style of argument passing and encounters expansion |
20 |
problems. It has proven very difficult to add "security" to the scp |
21 |
model. All attempts to "detect" and "prevent" anomalous argument |
22 |
transfers stand a great chance of breaking existing workflows. Yes, |
23 |
we recognize it the situation sucks. But we don't want to break the |
24 |
easy patterns people use scp for, until there is a commonplace |
25 |
replacement. People should use rsync or something else instead if |
26 |
they are concerned. |
27 |
|
28 |
[1] https://github.com/cpandya2909/CVE-2020-15778/ |