Re: Perl Packages [was: Re: GNOME Bugzilla Upgrade: Test Upgrade On Friday?]



On Thu, 2009-07-30 at 21:09 -0700, Max Kanat-Alexander wrote:
> Owen Taylor wrote:
> >   Don't consider the security risk of launching ImageMagick
> >   code from the web interface worth the marginal feature of allowing
> >   BMP's to be converted to PNG's on upload. (Probably most BMP's that
> >   are uploaded to gnome.org are to demonstrate bugs in gdk-pixbuf
> >   or EOG...)
> 
> 	FWIW, there's no security risk that I'm aware of. But if you don't need 
> the feature, you don't have to install the package.

The security risk I'm referring to is the risk of exploits in the BMP
decoder in ImageMagick. History indicates that image decoders are rich
source of vulnerabilities. 

It's not in any way a big security risk, but if we don't need the
feature anyways..

> >  Authen::LDAP
> > 
> >   No immediate need to authenticate users against LDAP. Maybe later
> >   if we want a unified gnome.org password.
> 
> 	I think it'd be better to just install this now, so that if people do 
> want to do some sort of SSO for gnome.org, they can just set this up in 
> Bugzilla's admin interface without having to resort to a sysadmin with 
> root on the box. (Of course, that might just be the same person anyway.)

I don't think SSO could be accomplished without a lot of intensive
sysadmin participation.

- Owen




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]