On Tue, May 31, 2005 at 01:54:11PM +1000, Mark Suter wrote: > Robert, > > I agree Mutt should be fixed to create its temporary files in > non-predictable fashion. That mutt honours TMPDIR provides a > work-around, not the solution for Mutt. OK. I took what you initially said as you presenting TMPDIR as the canonical solution. That was my fault.
> > > Besides, given the choice between the following two options: > > > > 1) One-time fix applied by upstream developer; by extenension, present > > in all future releases. > > For this package only... > Not sure what this means. If the fix is only applied to the Debian package, then at least future releases of the Debian package. If it is applied upstream, then future upstream releases will have it as well. Either way, a larger group of users benefits. > > 2) Work around in ~/.bashrc (or equivalent) that must be applied to > > every system accessed. (Think a year or two down the road when you get > > an account on a new machine). > > The flip-side of (2) is that the user avoids this class of problem for > many different packages, present and future. Setting TMPDIR is a good > solution for the user - all software honouring this variable will nwo > avoid all the issues of the shared /tmp. > True. Of course, the user must not fall into thinking that setting TMPDIR is a silver bullet. Of course, mutt honors the setting, but not all programs do. > > I would say that that option 1 has major advantages: > > > > 1) Requires one person to do one thing to fix. > > 2) Less error prone/open to peer review. > > 3) Is not dependent on a specific user action. > > I like doing both - defence in depth, you know ;) > True. It's all about layering. Defense, security, keeping warm in winter and onions. There is a pattern there :-) > I largely agree with you; however, I felt that as TMPDIR is a solution > to the entire class of shared /tmp problems, it's worth mentioning. > If only all programs obeyed it. What would be really need would be if we turned /tmp into a device node or something in proc. Then the system could redirect based on UID. That is, you run foo as yourself and it creates a temporary file under /tmp, and I also run foo and create a temporary file under /tmp, but they are both in different places. Just an idea. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
pgpnGwWZkPDqI.pgp
Description: PGP signature
