Debian Bug Tracking System writes ("Bug#483358 closed by Carl Worth
<cwo...@cworth.org> (Re: tar --null -T \-dequotes filenames !)"):
> On Tue, 28 Jul 2009 17:38:26 -0700, Carl Worth <cwo...@cworth.org> wrote:
> > PS. Bdale, for a case like this should I close the bug report by sending
> > to 483358-done@ ? And should I give it a "Tags: wontfix" or so?
>
> Bdale said that's the right plan, so I'm doing that now.
I think the answer you gave in your reply to the bug report is rather
surprising.
Are there in fact any programs which use tar --null which properly
quote the incoming filenames ? Are there in fact any programs which
can easily generate a list of filenames in the format expected by by
tar --null --unquote ?
I would argue that the behaviour _and the documentation_ should be
changed so that --null implies --no-unquote.
You might say that changing the behaviour is not acceptable because of
the theoretical possibility that there might exist some program which
would become broken because of it. I would suggest that is a
far-fetched worry. But if so, then --null should cause a fatal error
unless --unquote or --no-unquote is supplied. As it is, I expect that
almost all programs using tar --null have obscure bugs which are in
some cases likely to be security problems.
Or do you think I should grep the lintian lab and start filing
critical security bugs ?
Ian.
Also, Carl: when you sent your reply you sent it only to the bug
report and not to me. So the first I knew about this was when the
bug was closed.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
