On 2023-02-17 at 09:42 -0700, Sean Whitton wrote: > So: commit ce4a066ed1e fixes Debian bug #1021842 without the env var.
On 2023-02-14 at 11:32 +0000, Andrea Corallo wrote: > Stefan Monnier <monn...@iro.umontreal.ca> writes: > > `temporary-file-directory' may point to a world-writable directory, so > > it's vulnerable to the usual race condition where someone manages to > > predict the name of the file you're going to write and places there > > a symlink to some "interesting" place, so you end up overwriting some > > other file unwittingly. > > Okay, ce4a066ed1e generates trampolines in a temporary directory if no > other option is viable (using the make-temp-file machinery to generate > the unpredictable name). > + finally (cl-return > + (expand-file-name > + (make-temp-file-internal (file-name-sans-extension rel-filename) > + 0 ".eln" nil) > + temporary-file-directory)))) Hmm, it seems using make-temp-file-internal with DIR-FLAG=0 which just constructs a name and do not create the file like make-temp-name, so there is a race condition as Stefan mentioned. Is that really OK? Thanks, -- Tatsuya Kinoshita
