On Sun, 2012-03-18 at 22:17 +0000, Simon McVittie wrote: > On 18/03/12 15:58, Adam D. Barratt wrote: > > Specifically, this not only disables auto-downloading but prevents users > > from turning it back on should they so wish. I assume the logic here is > > that there may still be security issues lurking which involve untrusted > > content and just haven't been found yet? > > That, but more so: auto-downloading is known (or at least strongly > suspected) to be unsafe. Auto-downloaded PK3 files can contain > executable bytecode to be run by a JIT compiler or interpreter, and the > sandboxing used in Quake III Arena (and hence Tremulous and early > ioquake3 versions) is rather lacking - it seems to have been designed > for robustness against coding mistakes, but not against malicious bytecode.
Thanks for the explanation, and apologies for the delay in getting back to you again; please feel free to go ahead with the upload. Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
