Hi Note, the mails Cc'ed 706478 have not reached anymore the BTS as the bug was already archived. I'm keeping below the conversation which did not reach the BTS.
I have prepared a debdiff which does not symlink anymore /usr/share/autostart/rygel.desktop thus not starting rygel on user sessions by default. Regards, Salvatore On Fri, Jul 19, 2013 at 09:35:30AM +0200, Adrien Saladin wrote: > Hi, > > Just a brief update about this bug. While reading the *default* > configuration file for rygel I've seen the following: > > # Allow upload of media files? > allow-upload=true > > # Allow deletion of media folders and files? > allow-deletion=true > > > If I understand correctly the meaning of these options there is > definitely a security issue. Imagine a jealous coworker uploading > illegal or pornographic stuff (or both) and send an anonymous message > to the boss or just wait for someone else to notice it... > > Regards, > Adrien > > On Thu, Jul 11, 2013 at 6:21 PM, Adrien Saladin > <[email protected]> wrote: > > Hi, > > > > On Wed, Jul 10, 2013 at 8:59 PM, Yves-Alexis Perez <[email protected]> > > wrote: > >> > >> I'm not sure it deserves a DSA but that could be fixed through a stable > >> upload. Adrien, can you prepare an NMU (unless Andreas wants to do the > >> upload himself, but considering the “go ahead” I guess not) and ask > >> release team about? If not, I'll try to do it myself when I have time. > >> > > > > Since it would be my very first debian package I don't really know if > > it's a good idea for me to target the stable release. Which is the > > faulty package anyway? Is it the rygel package which is listening by > > default or the gnome package which depends on rygel? When I install > > openssh-server or apache2 I expect the server to be running. > > > > Concerning the DSA I don't really know what are the inclusion > > criteria. I was sharing all my music with my lab during three weeks > > without noticing which is embarrassing and maybe lead to legal > > copyright issues. I can think of potentially more problematic cases, > > like medical imaging (maybe with the jpeg2000 file format > > http://www.jpeg.org/apps/medical.html), research material (pictures, > > diagrams) for a scientific paper which should not leak (especially to > > some co-workers) until published, etc. > > > > Best, > > Adrien
diff -Nru rygel-0.14.3/debian/changelog rygel-0.14.3/debian/changelog --- rygel-0.14.3/debian/changelog 2012-09-13 11:05:48.000000000 +0200 +++ rygel-0.14.3/debian/changelog 2013-07-22 12:54:32.000000000 +0200 @@ -1,3 +1,11 @@ +rygel (0.14.3-2.1) wheezy-proposed-updates; urgency=low + + * Non-maintainer upload. + * Don't symlink /usr/share/autostart/rygel.desktop to prevent autostart of + rygel. (Closes: #706478). + + -- Salvatore Bonaccorso <[email protected]> Mon, 22 Jul 2013 12:50:31 +0200 + rygel (0.14.3-2) unstable; urgency=low * Add patch from upstream fixing choppy playback on some clients diff -Nru rygel-0.14.3/debian/rygel.links rygel-0.14.3/debian/rygel.links --- rygel-0.14.3/debian/rygel.links 2012-09-13 11:05:48.000000000 +0200 +++ rygel-0.14.3/debian/rygel.links 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -/usr/share/applications/rygel.desktop /usr/share/autostart/rygel.desktop
