[Pkg-mozext-maintainers] Bug#919557: Bug#919557: Bug#919557: Bug#922944: handling symbolic links in webextensions

[Dmitry Smirnov]

On Sunday, 26 April 2020 9:25:06 AM AEST Ximin Luo wrote:
> The source code doesn't mention any particular reason, and one person on
> the upstream bug report mentions it in such an off-the-cuff and
> non-explanatory way I can't take it into account as a serious data point.
> We shouldn't just let a mere mention of "security" scare us into not
> touching stuff and using our own reasoning to fix bugs.
> 
> And I *did* think about the possible security considerations, as I
> explained in my previous email, and derived my suggested patch based on
> these considerations. (FWIW, I have done and am doing various types of
> security work professionally, and I'm confident about this type of
> reasoning in general.)

Did you consider the possibility of users having a mix of packaged and non-
packaged extensions? I think it is reasonable to contain/sandbox extensions 
to prevent peeking to various file system locations through symlinks.

Once Firefox is patched to allow symlinks, the threat might be from malicious 
symlinks in non-packaged extensions.


> This is static linking, and in Debian we generally avoid doing that. I am
> not saying you shouldn't do it for your package, but we also shouldn't shy
> away from fixing infrastructural situations that force us into it.

Yes, valid. I agree. :)

-- 
Regards,
 Dmitry Smirnov.

---

Censorship is always cause for celebration. It is always an opportunity
because it reveals fear of reform. It means that the power position is so
weak that you have got to care what people think.
        -- Julian Assange
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-mozext-maintainers/attachments/20200426/d1ab13b0/attachment.sig>