Kei Kebreau <k...@openmailbox.org> writes: > Marius Bakke <mba...@fastmail.com> writes: > >> Leo Famulari <l...@famulari.name> writes: >> >>> On Thu, Feb 09, 2017 at 11:39:42PM +0100, Marius Bakke wrote: >>>> Kei Kebreau <k...@openmailbox.org> writes: >>>> >>>> > Reviewers, how does this patch look to you? >>>> >>>> AFAIU from CVE-2017-0358, ntfs-3g is only vulnerable when installed >>>> setuid root, which is not the case on guix. >>>> >>>> FWIW Debian do not carry this patch, but have fixed the CVE according to >>>> the changelog. So I doubt this patch is necessary. >>> >>> There have been a couple security-related bugs publicized recently that >>> are only dangerous when the software is installed setuid root. >>> >>> Although we don't do that by default, system administrators can do it on >>> GuixSD. I also think that Guix is valuable as a distribution mechanism >>> of free source code, and we should fix bugs for that use case. >>> >>> So, I was thinking that we should fix these bugs unless they require >>> grafting, and then we should fix them in core-updates. >>> >>> WDYT? >> >> That does make a lot of sense. Reading up on execl(3), it looks like >> this patch does the right thing and can't hurt even when not setuid. >> >> Mind=changed! :P > > Are we all agreed on pushing this change?
I agree with Leo that we should try to cover for all use cases of software from Guix, so this change LGTM.
signature.asc
Description: PGP signature