[Debian GNUstep maintainers] Bug#885954: cenon.app: \r in filename in .orig tarball

Wed Jan 3 01:04:36 UTC 2018

On Wed, Jan 03, 2018 at 02:48:22AM +0200, Yavor Doganov wrote:
> On Mon, 01 Jan 2018 00:55:00 +0200,
> Adam Borowski wrote:
> > Source: cenon.app
> > Version: 4.0.2-1
> 
> > There are two files with \r in name in the tarball:
> > tar: Cenon/Cenon.xcodeproj/Icon\r: Cannot open: Permission denied
> > tar: Cenon/Cenon.xcodeproj/Icon\r: Cannot open: Permission denied
> > Note that this already confuses tar!
> 
> Hmm, I'm afraid that I can't reproduce this with tar/1.29b-2.  Perhaps
> that's something specific to your environment or filesystem?  I tried
> both with dpkg-source and tar and I get no errors/warnings.

Yeah, as I mentioned, the kernel has a patch that bans control characters in
file names -- they can be used for security bugs (at least '\n') or to play
nasty with the user (01..31), and unlike other nastiness such as invalid
Unicode, controls have no known legitimate use in the wild.

> There is one file (not two) with \r under Cenon.xcodeproj.  I guess
> it's automatically created by XCode (proprietary IDE for Muck OS X) so
> I suspect it's never going to be fixed upstream.
> 
> I'll repackage the tarball, removing the entire directory, but I'd
> like to postpone this for the next upsteam release (4.0.6).  It can't
> be uploaded right now because it depends on a new gnustep-gui method
> that is available in 0.26, so it'll be after the (forthcoming)
> gnustep-gui transition.  (Unless the current version fails to build
> with -gui/0.26, of course.)  OK?

No hurry; the security module is not even written yet (current patches were
NACKed and I was told to reimplement them as a LSM, which I did not get
around to doing yet), so it'll be a while until this hits Debian.

> I use the opportunity to thank you wholeheartedly for sponsoring
> basically all of my uploads recently.

Looks like Gianfranco just got back, he tends to overdo me by a factor of
2-3.  At least I used his absence to rack up some score :)

> > However, I'm developing a security module that bans problematic
> > filenames, and in the configuration I'd like to recommend for
> > distributions to default to, \r is forbidden.
> 
> Are there any plans this to be enforced or at least recommended in
> Debian distro-wide?  (Just asking out of curiosity.)

This tends to take a few years.  With my simple hard-coded approach
rejected, it'll be a LSM, and those, even after being accepted, usually get
enabled by only "hardened" distros and Gentooites for a while, then by
mainstream distros, only then possibly becoming kernel default.

I'm filing bugs already only because it'll make my Big Plot For World
Domination easier -- changes like this are far more likely to get accepted
if I can claim I did an archive rebuild and it doesn't break anything
anymore.

Meow!
-- 
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable And Non-Discriminatory prices.