[Popcon-developers] question about "not in sid"-maintainer
Bill Allombert
allomber at math.u-bordeaux.fr
Fri Nov 18 14:10:10 UTC 2005
On Fri, Nov 18, 2005 at 01:47:01PM +0100, Petter Reinholdtsen wrote:
> [Bill Allombert]
> > Not yet, I always wait about one week to see if nothing break.
>
> Isn't this making it harder to track the history of the files?
No, it make it easier. We only commit tested changes.
> > By the way the file in CVS did not match the one on the server even
> > before I started to make changes.
> > Which one are supposed to be up-to-date ?
>
> I prefer to treat the CVS version as the authorative version. I
> suggest you keep the CVS version. The CVS version is the version used
> on <URL:http://developer.skolelinux.no/popcon/>.
Then please don't change the CVS version before updating the server.
Also I am concerned we ship CGI scripts that have security holes in
some configuration. I have mentionned the problem with Ubuntu approach
in this list already:
$directsave=1 and popcon-submit-ubuntu.cgi both trivially allow an
attacker to create arbitrary files on the server.
I don't think we can ship that in the packages.
Cheers,
Bill.
More information about the Popcon-developers
mailing list