From: zimoun <zimon.toutoune@gmail.com>
To: 38422@debbugs.gnu.org, Bengt Richter <bokr@bokr.com>
Subject: bug#38422: Bug status? '.png' files with executable permissions
Date: Wed, 22 Jan 2020 01:22:45 +0100 [thread overview]
Message-ID: <CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com> (raw)
In-Reply-To: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain>
Dear Bengt,
The bug report [1] points out files with unexpected permission; based
on extension filename.
[1] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38422
It is not an security issue or the Guix packager did not carefully
check the validity of these files.
If you are security paranoid, you *have to* check by yourself all the
files using "guix build -S" because in paranoid mode you cannot trust
Guix packagers (and Guix committers neither).
In normal mode, 2 options:
a- propose a patch to change the permission for each offending package
b- report upstream
Well, at least these 3 packages docbook-xsl, faba-icon-theme, and
moka-icon-theme comes with unexpected .png file permission.
On the long term, I am not convinced that adding automatic check and
permission change based on filename extension would really add Quality
Assurance. Because we are speaking about quality, not security.
I am inclined to close this bug. What do you think?
All the best,
simon
next prev parent reply other threads:[~2020-01-22 0:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-29 7:59 bug#38422: .png files in /gnu/store with executable permissions (555) Bengt Richter
2019-11-29 9:49 ` Ricardo Wurmus
2019-11-29 10:59 ` zimoun
2019-11-29 11:28 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2019-11-29 12:22 ` Bengt Richter
2019-11-29 12:20 ` Mark H Weaver
2019-11-29 15:03 ` Bengt Richter
2019-11-30 4:08 ` Mark H Weaver
2019-11-30 4:24 ` Brett Gilio
2019-11-30 7:45 ` Julien Lepiller
2019-11-30 20:07 ` Bengt Richter
2019-12-02 15:20 ` zimoun
2020-01-22 0:22 ` zimoun [this message]
2020-01-22 2:28 ` bug#38422: Bug status? '.png' files with executable permissions Bengt Richter
2020-01-27 19:55 ` zimoun
2020-01-22 0:31 ` bug#38422: zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ3okZ2ZAs+Cf0k29Aafk-LUG4FTU=wtzEJmk8pqVJ==SQ7eNQ@mail.gmail.com' \
--to=zimon.toutoune@gmail.com \
--cc=38422@debbugs.gnu.org \
--cc=bokr@bokr.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.