unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: zimoun <zimon.toutoune@gmail.com>
To: 38422@debbugs.gnu.org, Bengt Richter <bokr@bokr.com>
Subject: bug#38422: Bug status? '.png' files with executable permissions
Date: Wed, 22 Jan 2020 01:22:45 +0100	[thread overview]
Message-ID: <CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com> (raw)
In-Reply-To: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>

Dear Bengt,

The bug report [1] points out files with unexpected permission; based
on extension filename.

[1] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38422


It is not an security issue or the Guix packager did not carefully
check the validity of these files.

If you are security paranoid, you *have to* check by yourself all the
files using "guix build -S" because in paranoid mode you cannot trust
Guix packagers (and Guix committers neither).


In normal mode, 2 options:

 a- propose a patch to change the permission for each offending package
 b- report upstream

Well, at least  these 3 packages docbook-xsl, faba-icon-theme, and
moka-icon-theme comes with unexpected .png file permission.


On the long term, I am not convinced that adding automatic check and
permission change based on filename extension would really add Quality
Assurance. Because we are speaking about quality, not security.


I am inclined to close this bug. What do you think?

All the best,
simon

  parent reply	other threads:[~2020-01-22  0:24 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-29  7:59 bug#38422: .png files in /gnu/store with executable permissions (555) Bengt Richter
2019-11-29  9:49 ` Ricardo Wurmus
2019-11-29 10:59   ` zimoun
2019-11-29 11:28   ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-11-29 12:22   ` Bengt Richter
2019-11-29 12:20 ` Mark H Weaver
2019-11-29 15:03   ` Bengt Richter
2019-11-30  4:08     ` Mark H Weaver
2019-11-30  4:24       ` Brett Gilio
2019-11-30  7:45       ` Julien Lepiller
2019-11-30 20:07         ` Bengt Richter
2019-12-02 15:20           ` zimoun
2020-01-22  0:22 ` zimoun [this message]
2020-01-22  2:28   ` bug#38422: Bug status? '.png' files with executable permissions Bengt Richter
2020-01-27 19:55     ` zimoun
2020-01-22  0:31 ` bug#38422: zimoun

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com' \
    --to=zimon.toutoune@gmail.com \
    --cc=38422@debbugs.gnu.org \
    --cc=bokr@bokr.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).