Hi, On Fri, Oct 09, 2015 at 07:36:21PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Fri, Oct 09, 2015 at 05:22:16PM +0200, Sandro Mani wrote: > > Some time back licensecheck grew a dependency on Dpkg::IPC [1], which on > > Fedora causes the "devscripts-minimal" package (which includes licensecheck) > > to pull in dpkg. I'd like to propose the patch below to reduce the > > dependency load: > [...] > > If this is changed, one needs to make sure that CVE-2015-5705 / > #794365 isn't reintroduced (argument injection vulnerability).
I understand back-tick is problematic as CVE-2015-5705. (hmmm ... something to keep in mind :-) Avoiding it was a good idea. Both Dpkg::IPC and IPC::Run seem to offer similar functionality and similar security protection by using the list of strings instead of a long shell interpreted command string. So this change itself looks like neutral for the concern raised by Salvatore.(In-depth evaluation may be a good idea. Feed back on this aspect from Sandro is appreciated.) But before digging that deep for such security feature differences, I fail to understand the rationale of switching from Dpkg::IPC to IPC::Run for devscripts as presented. I do not know how OP wishes to use this code on Fedora but if we look at the devscripts package as a whole, the OP's claim "grew a dependency" does not make sense. The use of Dpkg::IPC was meant to avoid growing dependency. Look at the package: $ cd scripts $ fgrep 'use Dpkg::IPC' *.pl debdiff.pl:use Dpkg::IPC; debuild.pl:use Dpkg::IPC; dscverify.pl:use Dpkg::IPC; licensecheck.pl:use Dpkg::IPC qw(spawn); mk-build-deps.pl:use Dpkg::IPC; mk-origtargz.pl:use Dpkg::IPC; uscan.pl:use Dpkg::IPC; $ fgrep 'use IPC::Run' *.pl $ Let's also see the dependency chain on the Debian system: IPC::Run is from libipc-run-perl libipc-run-perl is pulled in by lintian (Depends:) -- no other important ones lintian is pulled in by devscripts (Recommends) -- not a strong guarantee Dpkg::IPC is from libdpkg-perl libdpkg-perl is pulled in by dpkg-dev (Depends:) dpkg-dev is pulled in by devscripts (Depends:) -- strong guarantee If there is any security or technical advantages in light of the above situation, please present it. Randomly picking similar modules in a family of programs complicates dependency situation. If there are merits for switching, please present them and change them all. Without such facts and rationale, this wish should not be implemented as requested on licensecheck. If the wishlist bug comes with patch which enables either Dpkg::IPC or IPC::Run after checking their availability, that may be implemented if security concerns are not there. Regards, Osamu
signature.asc
Description: Digital signature