[sage-trac] Re: [Sage] #11676: sage-pkg does not force world-readable permissions

Mon, 17 Oct 2011 20:04:22 -0700 

#11676: sage-pkg does not force world-readable permissions
-------------------------------+--------------------------------------------
   Reporter:  AlexanderDreyer  |          Owner:  AlexanderDreyer         
       Type:  enhancement      |         Status:  needs_info              
   Priority:  major            |      Milestone:  sage-4.7.2              
  Component:  scripts          |       Keywords:  chmod umask install mode
Work_issues:                   |       Upstream:  N/A                     
   Reviewer:                   |         Author:  Alexander Dreyer        
     Merged:                   |   Dependencies:                          
-------------------------------+--------------------------------------------

Comment(by leif):

 Replying to [comment:26 AlexanderDreyer]:
 > But anyway, as I understand from #11664 the sources ''must'' be world
 readable in any case. So Sage should provides a tool to ensure this while
 packaging - at least optionally.  Alternatively, {{{sage-pkg}}} should
 test the permissions and give a warning if necessary.

 Well, in principle only files that are to be ''copied'' (with `-p`) into
 the Sage installation tree should have 0644 or 0755 permissions (one
 should usually use some BSD-like `install` where this isn't an issue at
 all), but it's of course nearly impossible to check that when doing an
 automatic "sanity" check on an spkg.

 [[BR]]

 > BTW: For the second part of the patch - namely changing the user/group
 to root - this should be done for privacy reasons anyway. (This can only
 be done in the tar file)

 FWIW, doing
 {{{
 #!sh
 $ tar -C /tmp -xvjf foo-x.y.z.pN.spkg &&
   tar -C /tmp --owner=0 --group=0 -cvjf foo-x.y.z.pN.spkg foo-x.y.z.pN
 }}}
 you can achieve the same.

 (I personally don't think privacy really matters here, especially since
 you can fake arbitrary user/group names or IDs, and your e-mail address
 should be contained in the log anyway.  Instead, it is IMHO useful to see
 who packaged an spkg, modulo that there need not be a relation to a user
 you really know.  Alternatively, you could also use ''numeric'' UIDs/GIDs
 for the tarball in case you feel using your real logname is dangerous from
 a security point of view.)

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/11676#comment:27>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to