> On Tue, Mar 28, 2006 at 05:01:15PM -0500, Justin Pryzby wrote: > > Package: slocate > > Version: 3.1-1 > > Severity: normal > > > > I'm still unhappy with the short description: > > > > Secure replacement of findutil's locate > > > > but this package provides no added security (at least on Debian), but > > rather some enhanced/extended functionality. Please consider making > > this more clear. On Tue, Mar 28, 2006 at 02:58:56PM -0800, Kevin Lindsay wrote: > Well, if you index your filesystem using GNU Locate as root, the > location to every file will be available to all users. Isn't it > added security that Secure Locate will preform proper access checks > to ensure the user is able to see the file location? On other systems only.
> Just because Debian uses a default context of indexing with 'nobody' > doesn't mean that the extra security checks are not relevant to the > description. I think it makes sense for the Debian description to be able to make assumptions about the default and typical behavior of another common Debian package. Perhaps the description could be extended to include the details: slocate - enhanced locate implementation, with permission . On Debian, findutil's locate database includes by default only files visible to every user. On other systems, it may index every file, and could disclose the existence of otherwise hidden files. On those systems, slocate will not display to the invoking user those files which are not other visible to them. In Debian, slocate provides added functionality, by outputting not only files visible to everybody, but also files visible to the invoking user. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
