On Mon, 2006-05-29 at 16:20 +0200, Johannes Winkelmann wrote:
On Mon, May 29, 2006 at 15:51:00 +0200, Mark Rosenstand wrote:
On Mon, 2006-05-29 at 14:56 +0200, Johannes Winkelmann wrote:
What's the upstream status of this? If there's no chance this patch ever gets accepted, I'd vote to revert it. It's an unnatural choice for CRUX to ship modified core utilities, especially since it's easy enough to create an alias, use a modified port
I agree, but when it comes to security, behaving like upstream does comes in second. I agree, and I'm all for addressing issues triggered by GNU tar's behaviour e.g. in pkgmk.
However, CRUX is in no way a hardened distribution right now, and this patch doesn't change that [1]. Therefore, this isolated change just feels inconsistent. If we promote a different patch policy in the future, that's fine with me, but for now, it seems to be a bad compromise (breaking compatibility for very little added security overall).
Point taken :)
1. That's not saying I'm against hardening in general
Could make a nice sub-project in the form of a core/opt overlay. Han? Others interested?