[Bug 503774] Re: main inclusion request for virtuoso
Kees Cook
kees at ubuntu.com
Tue Jan 19 17:45:26 UTC 2010
* Should use system zlib
* virtuoso-t should be installed in /usr/lib since it doesn't run sanely alone in /usr/bin (and lacks a man page)
* Config files (*.cfg) are all out of the local directory. virtuoso-t should only be run from a safe location in a user's home directory where no surprise settings can be injected.
* libsrc/Wi/bif_files.c should be changed to force all the "if (do_os_calls)" checks to fail, regardless of configuration setting. This seems like a dangerous ability for it to have.
There is a lot of memory allocation code, but given how far removed from
direct 3rd party data this software will be, I'm relatively comfortable
with that. I would, however, expect that this code will need attention
during the lifetime of Lucid.
If the above 4 points can be addressed (#3 is actually in nepomuk, I
think), this would be okay for main, given that it is a very stripped
down version of virtuoso-opensource.
** Changed in: virtuoso-opensource (Ubuntu)
Importance: Undecided => High
** Changed in: virtuoso-opensource (Ubuntu)
Status: New => Incomplete
** Changed in: virtuoso-opensource (Ubuntu)
Assignee: Kees Cook (kees) => Jonathan Riddell (jr)
--
main inclusion request for virtuoso
https://bugs.launchpad.net/bugs/503774
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list