Hi, * Nico Golde <n...@debian.org> [2009-07-19 20:44]: > * Piotr Engelking <inkerma...@gmail.com> [2009-07-19 20:28]: > > 2009/7/16 Nico Golde <n...@debian.org>: [...] > > I also find your suggestion horribly wrong on many levels. First, do > > you seriously believe that users should have to read and reread on > > upgrades the documentation of their, per average, 1000 installed > > packages just to keep their systems reasonably secure? > > Well I never said it is no issue. But if it's an issue > depends on your desktop environment. If you have just > installed xterm you're fine and you're free to change the > slim configuration to call any program you want. And it > should be documented that this may have unwanted side > effects depending on the terminal you use. I do not say that > a more secure default doesn't make sense. But it is core > functionality of the program and no bug by itself in my > opinion.
As some people seem to get me wrong about this... I believe it is an issue however spawning a _login_ shell is a feature of slim and no bug. The bug exists because the upstream author and the maintainer didn't take into account that other terminals than xterm may be used and I think this should be either documented (probably removing the current debian default is also a good idea) or slim should be completely removed from the archive given it's recent security issues. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpo1f7xfZL7n.pgp
Description: PGP signature
