On Thu, Aug 19, 2021 at 01:10:17AM +0200, Christoph Anton Mitterer wrote: > While I can understandt that it's desireable to get rid of custom legacy > tools, > this should be more properly documented. > > I guess a NEWS.Debian entry and some notes in the next release notes would be > appropriate. > > > The problems with xsessions has shown that the deprecation warning to stderr > might not have been enough, since the tool might be used in places where that > is never read. > > > In principle dropping it might be even security relevant, consider some > (ab)use > like: > MYBASEDIR=/var/lib/foo #being readable for anyone but writable only > for some user > MYTMPDIR="$MYBASEDIR/$(tempfile -d)" > mkdir -p "$MYTMPDIR" > chown go= "$MYTMPDIR" > > Now with tempfile gone and no proper error handling in above's example, > MYTMPDIR would be MYBASEDIR, and possibly sensitive data could end up in it > (now world readable). > > Sure, the above would obviously be an abuse of tempfile,... but people might > still do it. > Thus, a big fat warning seems reasonable.
Do you have some proposed text? I would be likely to end up with a 15-page screed which would be helpful to almost no one.
