On Thu, 2009-07-30 at 21:09 -0700, Max Kanat-Alexander wrote: > Owen Taylor wrote: > > Don't consider the security risk of launching ImageMagick > > code from the web interface worth the marginal feature of allowing > > BMP's to be converted to PNG's on upload. (Probably most BMP's that > > are uploaded to gnome.org are to demonstrate bugs in gdk-pixbuf > > or EOG...) > > FWIW, there's no security risk that I'm aware of. But if you don't need > the feature, you don't have to install the package.
The security risk I'm referring to is the risk of exploits in the BMP decoder in ImageMagick. History indicates that image decoders are rich source of vulnerabilities. It's not in any way a big security risk, but if we don't need the feature anyways.. > > Authen::LDAP > > > > No immediate need to authenticate users against LDAP. Maybe later > > if we want a unified gnome.org password. > > I think it'd be better to just install this now, so that if people do > want to do some sort of SSO for gnome.org, they can just set this up in > Bugzilla's admin interface without having to resort to a sysadmin with > root on the box. (Of course, that might just be the same person anyway.) I don't think SSO could be accomplished without a lot of intensive sysadmin participation. - Owen _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
