Moritz Mühlenhoff dixit:
>Am Fri, May 10, 2024 at 06:39:20PM +0000 schrieb Thorsten Glaser:
>> This is a bit like the limited security support for binutils,
>> I suppose. Could/should we document that in the same places?
>
>Sure thing, this sounds similar to what was done for Lilypond,
Ah, okay.
>best to simply ship a similar README.Debian.security within
I was thinking a README.Debian with:
-----snip-----
Note on possible security issues from untrusted input:
Upstream has never considered it on scope that the software
cannot “crash” on incorrect input, unfortunately. There is
also no security or other support for this version branch
from upstream. Please consider this and don’t expose the
software to untrusted, possibly incorrect, input files to
avoid triggering DoS or possible security problems in its
parsers without suitable confining measures. This is even
more true for import filters than for the native formats’
parsers (and includes the MusicXML import).
Mu͒seScore Studio was designed to operate as an unconnected
desktop program and not as a remotely accessible service,
so please take care.
-----snap-----
I’ll accept suggestions to improve, of course; I think I’ll
add the magic word “sandboxing” to the last paragraph?
bye,
//mirabilos
--
"Using Lynx is like wearing a really good pair of shades: cuts out
the glare and harmful UV (ultra-vanity), and you feel so-o-o COOL."
-- Henry Nelson, March 1999
