Ansgar π <[email protected]> writes: > Okay, so we have to accept a path into the archive that is known to > accept malicious uploads that would have been rejected by dak so maybe > that path will be changed later? I don't see that happening given all > suggestions to change this have been rejected, even when fairly simple > to implement.
This is not known. You have asserted this, and then come up with increasingly implausible excuses for why you cannot clearly explain wtf you are talking about. It's entirely possible that there are security bugs in the current tag2upload implementation, just like it's entirely possible that there are security bugs in dak and in any other piece of software. The way we deal with those, now and in the future, is that someone explains what the security bug is and then we see if we can fix it. Given the number of factual errors in your previous posts to this thread and your refusal to provide any detail about the security vulnerabilities that you believe exist, I simply do not trust that your assertions are true without something concrete that I can understand. If you want me to take your assertions seriously, you're going to have to show your work. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
