Michael Meskes dijo [Mon, Feb 19, 2018 at 12:44:40PM +0100]: > > I'd strongly urge you to reconsider packaging this project, for > > three main reasons: > > > > * It relies upon the external VPNGate.net site/service. If this > > goes away in the lifetime of a stable Debian release users will > > be screwed. > > That is actually a good point. I wonder if using a local copy might be > a good alternative.
I suppose the information it downloads is needed to keep the database up to date. Thinking about a lifetime of ~5 years (stable+oldstable), I don't think we could work around that > > * It allows security attacks on against the local system which the > > remote service could exploit: > > > > 1. The tool downloads a remote URL to /tmp/openvpnconf > > > > 2. The file is then given as an argument to the command: > > sudo openvpn /tmp/openvpnconf > > > > 3. That generated/downloaded openvpn configuration file could > > be written to do anything, up to and including `rm -rf /`. > > Can you actually get openvpn to do this? Depends on what information you put in /tmp/openvpn.conf, I guess. The least likely candidates end up opening holes - i.e. remember the quite recent KDE notifier bug allowing FAT volume labels containing $() to be executed :-P I mean - It might be completely OK. But given this creates configuration for setting up a high-privileged daemon from a public place, it'd be on you to carefully comb on the relevant parts of the source to assert the handling of this information is sensible.