From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 21 19:23:07 2020 Received: (at 38422) by debbugs.gnu.org; 22 Jan 2020 00:23:07 +0000 Received: from localhost ([127.0.0.1]:48692 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iu3nW-00078h-Os for submit@debbugs.gnu.org; Tue, 21 Jan 2020 19:23:06 -0500 Received: from mail-qv1-f43.google.com ([209.85.219.43]:39986) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iu3nS-00077x-VV for 38422@debbugs.gnu.org; Tue, 21 Jan 2020 19:23:05 -0500 Received: by mail-qv1-f43.google.com with SMTP id dp13so2419790qvb.7 for <38422@debbugs.gnu.org>; Tue, 21 Jan 2020 16:23:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=R8JJE29AGAcqzZs/u0cAT1euKcrQ0El8DO3RI/txzAg=; b=Q7qcCzNphnoUiahsYLABxUOI6SQ2MZ+XHHYE01cTTR1bxSmszcdoFyXbyY8CqM2kmf /sRTKEarcWqtNI6W9S7dGT9K8XBPhkHQc/4RV00FX51Cn30RFmWReC4pWFXBFdxUprr7 HnORVMOpC3e8FP6swZ5yFmCbPHf5Ork7z/QOkySFbYWsoUKxEwCipaHWD9YJVb3Lexps lEsxZA8qPrxmkiDDx4i4wyx43yFBKhJwxQmeE5usNOyQYw4guSQqAkc5Eoi9ERQ+TFBs HhrPDzFOxrlkkO5FJA5ETFopUkWNSBm8k16ExVCHXX3HO2S7LHo73vFKYo5RsfDbH/G7 JIQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=R8JJE29AGAcqzZs/u0cAT1euKcrQ0El8DO3RI/txzAg=; b=Ph0vOKuFNgfqOzvJbJjFcTX3yKA7Rq35NMSnh8gjNUSQGVWzHxTVPZgdDOPvt/dBDT jqAv4Rar9hrx4HUBvQ0TqmwHssXPjgkINA5iK1WVyFNtn93/w3i5Aw0XCnsIP2siQqmG 991KSmu2Cs0Cqjt3mq81RxRzEeBSBn2CUn8fB2CllVcFdijkO6+blLe3CzL5Ra1Il5tf 8f9YZyYvlmlZYdE7ATbkUk++gXFlMRTQhv9i2Wd2pu0H0Y6beuKyb25VXRrAkcfvEwFq HxVSHB1vJY0ROWqn9ZxM2Af4vyf8/18VLVUvNytDkGpFNl+4neO677Np4rq8Tm3kVSFy 5UTw== X-Gm-Message-State: APjAAAXU9Yg29zzcoYKXETF5M2qu+E9B98wN5E7CFcZUi2bpDlMt/uFO iaqshDsZQtI9QUjnIqhLPHGr1OKLvx+dijI6uXztrpn3 X-Google-Smtp-Source: APXvYqy5wQ9M5dPRYchq4FoWxUEMgFATDvGlTMiGJBumNTCdwbFSFCzC6LxRRK2PHAtiqGLkONh+/BpskWWinSuAaJI= X-Received: by 2002:a05:6214:108a:: with SMTP id o10mr7538958qvr.246.1579652577259; Tue, 21 Jan 2020 16:22:57 -0800 (PST) MIME-Version: 1.0 From: zimoun Date: Wed, 22 Jan 2020 01:22:45 +0100 Message-ID: Subject: Bug status? '.png' files with executable permissions To: 38422@debbugs.gnu.org, Bengt Richter Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 38422 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Dear Bengt, The bug report [1] points out files with unexpected permission; based on extension filename. [1] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=38422 It is not an security issue or the Guix packager did not carefully check the validity of these files. If you are security paranoid, you *have to* check by yourself all the files using "guix build -S" because in paranoid mode you cannot trust Guix packagers (and Guix committers neither). In normal mode, 2 options: a- propose a patch to change the permission for each offending package b- report upstream Well, at least these 3 packages docbook-xsl, faba-icon-theme, and moka-icon-theme comes with unexpected .png file permission. On the long term, I am not convinced that adding automatic check and permission change based on filename extension would really add Quality Assurance. Because we are speaking about quality, not security. I am inclined to close this bug. What do you think? All the best, simon