On Sun, May 27, 2018 at 8:19 PM, Ralf Friedl <ralf.fri...@online.de> wrote:
> Denys Vlasenko wrote:
>> wget should work for common use cases.
>> Such as downloading sources of kernels, gcc and such.
>>  From build scripts, not only by hand.
>> Without having to modify said scripts.
>> Your patch breaks that.
>> NAK.
>> I don't care that security people are upset.
>> They are paranoid, it's part of their profession.
>> It does not mean everybody else have to be as paranoid.
> I must admit I'm surprised by this statement.

I was surprised when one distro's security people decided to disable
ptrace for non-root users. Because "they don't need it,
and it's more secure that way". Unprivileged users suddenly
not being able to strace their own processes was seen
as unimportant.

Only a flood of thousands of irate emails made them understand
that computers have other purposes apart from being extremely secure.

> You add paranoid changes to programs like cp, unlinking the target in direct
> violation of POSIX, breaking some use cases. There was recent discussion
> about modifying the extraction of TAR and other archives, which introduced
> new problems and regressions.
> While there is nothing wrong with being careful, busybox is mainly used on
> single user systems, so it is unlikely that there is another user to create
> race conditions to exploit.

You misunderstood the nature of "tarball attacks". They are not local.

> On the other hand, not checking https means transfers could be attacked by
> someone anywhere on the network, not only a local user on the machine, so
> the number of potential attacked is much larger, and you don't even print a
> warning that the remote identity is not checked.

We used UNENCRYPTED !!! ftp and http for ~50 years, and somehow
civilization did not collapse. Somehow, when people needed security,
they found ways to ensure it.

There need to be a balance. Security considerations do not automatically
override everything.
busybox mailing list

Reply via email to