[Python-modules-commits] r26814 - in packages/plainbox/trunk/debian/patches (2 files)

zyga-guest at users.alioth.debian.org zyga-guest at users.alioth.debian.org
Thu Dec 19 19:33:54 UTC 2013 

    Date: Thursday, December 19, 2013 @ 19:33:53
  Author: zyga-guest
Revision: 26814

Disable the plainbox-trusted-launcher-1 --development option

Added:
  packages/plainbox/trunk/debian/patches/04-disable-development-option
Modified:
  packages/plainbox/trunk/debian/patches/series

Added: packages/plainbox/trunk/debian/patches/04-disable-development-option
===================================================================
--- packages/plainbox/trunk/debian/patches/04-disable-development-option	                        (rev 0)
+++ packages/plainbox/trunk/debian/patches/04-disable-development-option	2013-12-19 19:33:53 UTC (rev 26814)
@@ -0,0 +1,40 @@
+Description: Disable the --development option on plainbox-trusted-launcher-1 
+ The --development option allows the trusted launcher to bypass system security
+ and load content from locations controlled by the user. It has been disabled
+ by the Debian packaging, in agreement with the upstream developers (actually
+ upstream wrote this patch). Until a better solution is found this patch needs
+ to be maintained for every release.
+ .
+ Note, the patch is marked as "not-needed" so that nobody just forwards it
+ upstream as it obviously cannot be applied there.
+Author: Zygmunt Krynicki <zygmunt.krynicki at canonical.com>
+Origin: upstream
+Bug-Ubuntu: https://bugs.launchpad.net/checkbox/+bug/1262809 
+Forwarded: not-needed
+Last-Update: 2013-12-19
+
+--- plainbox-0.4~b2.orig/plainbox/impl/secure/launcher1.py
++++ plainbox-0.4~b2/plainbox/impl/secure/launcher1.py
+@@ -29,7 +29,6 @@ import subprocess
+ 
+ from plainbox.impl.job import JobDefinition
+ from plainbox.impl.job import JobOutputTextSource
+-from plainbox.impl.providers.special import CheckBoxSrcProvider
+ from plainbox.impl.secure.providers.v1 import all_providers
+ from plainbox.impl.secure.rfc822 import load_rfc822_records, RFC822SyntaxError
+ 
+@@ -220,9 +219,11 @@ def main(argv=None):
+     launcher = TrustedLauncher()
+     # Feed jobs into the trusted launcher
+     if ns.development:
+-        # Use the checkbox source provider if requested via --development
+-        launcher.add_job_list(
+-            CheckBoxSrcProvider().get_builtin_jobs())
++        # NOTE: the --development option is insecure and has been disabled by
++        # Debian packaging. For details see the URL below:
++        parser.error((
++            "--development is disabled\n"
++            "See https://bugs.launchpad.net/checkbox/+bug/1262809"))
+     else:
+         # Siphon all jobs from all secure providers otherwise
+         all_providers.load()

Modified: packages/plainbox/trunk/debian/patches/series
===================================================================
--- packages/plainbox/trunk/debian/patches/series	2013-12-19 17:44:36 UTC (rev 26813)
+++ packages/plainbox/trunk/debian/patches/series	2013-12-19 19:33:53 UTC (rev 26814)
@@ -1 +1,2 @@
 03-unvendorize
+04-disable-development-option

More information about the Python-modules-commits mailing list