Hi, Thank you Nico for having taken care of the security bugs. The issue is really simple to solve in fact, tho I never noticed it (actually this is not the default behavior of slim, I made that change by following the suggestion from bug #499048). So thanks again Piotr for pointing out the issue... I have made a note of it within README.Debian, which will follow in the next package.
Mike 2009/7/21 <n...@ngolde.de>: > Hi, > * Nico Golde <n...@debian.org> [2009-07-19 20:44]: >> * Piotr Engelking <inkerma...@gmail.com> [2009-07-19 20:28]: >> > 2009/7/16 Nico Golde <n...@debian.org>: > [...] >> > I also find your suggestion horribly wrong on many levels. First, do >> > you seriously believe that users should have to read and reread on >> > upgrades the documentation of their, per average, 1000 installed >> > packages just to keep their systems reasonably secure? >> >> Well I never said it is no issue. But if it's an issue >> depends on your desktop environment. If you have just >> installed xterm you're fine and you're free to change the >> slim configuration to call any program you want. And it >> should be documented that this may have unwanted side >> effects depending on the terminal you use. I do not say that >> a more secure default doesn't make sense. But it is core >> functionality of the program and no bug by itself in my >> opinion. > > As some people seem to get me wrong about this... > I believe it is an issue however spawning a _login_ shell is > a feature of slim and no bug. The bug exists because the > upstream author and the maintainer didn't take into account > that other terminals than xterm may be used and I think this > should be either documented (probably removing the current > debian default is also a good idea) or slim should be > completely removed from the archive given it's recent > security issues. > > Cheers > Nico > -- > Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA > For security reasons, all text in this mail is double-rot13 encrypted. > -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
