Skip to content
This repository has been archived by the owner on Jul 3, 2019. It is now read-only.

help with potential security issue in chowner #113

Closed
pravi opened this issue Nov 8, 2017 · 6 comments
Closed

help with potential security issue in chowner #113

pravi opened this issue Nov 8, 2017 · 6 comments

Comments

@pravi
Copy link

pravi commented Nov 8, 2017

This was reported long back, but without a response from its original maintainer isaacs/chownr#14

It would be good if some of you can help fix this issue or at least confirm the issue is not serious as it affects cacache as well and it is blocking us from packaging cacache for debian.
@zkat
Copy link
Owner

zkat commented Jul 2, 2018

this isn't really a bug in cacache, and I think Debian made the choice to cause its own pain in the neck with the way it packages npm, so I'm just gonna close this as Someone Else's Problem™

@zkat zkat closed this as completed Jul 2, 2018
@pravi
Copy link
Author

pravi commented Jul 2, 2018

@zkat that is wishful thinking. It has nothing to do with debian, just that we found the issue and want to fix it. Are you saying bugs in the dependencies of cacache don't affect cacache? The bug is present even if installed via npmjs.com. If look at the recent comment on the original bug report isaacs/chownr#14 (comment) you will this, the bug is now actually getting fixed in nodejs itself.

@zkat
Copy link
Owner

zkat commented Jul 2, 2018

@pravi It's not that it doesn't affect cacache, but that I find it obnoxious for folks to make duplicate issues in multiple repositories when the issue is already being discussed and addressed in its intended place.

I'll bump chownr when it's been fixed on that end. Otherwise, I consider this issue to be a duplicate of the one in the chownr repo

@pravi
Copy link
Author

pravi commented Jul 2, 2018

@zkat this was a call for help

@zkat
Copy link
Owner

zkat commented Jul 2, 2018

@pravi I'm not a Debian maintainer, and there's literally nothing I'm gonna do except... tell the person who's already aware of the issue that the issue exists. I don't appreciate trying to apply additional pressure like this.

@pravi
Copy link
Author

pravi commented Jul 3, 2018

@zkat okay noted, I won't bother you in future about any issues in any of the dependencies. Since I don't know much of JavaScript I always have to ask others who know more JavaScript than me. My intention to ask here was only because I thought you were affected as well by this bug. As I already said, this was not specific to Debian and only found in Debian. More than applying pressure, since chownr is also Free Software, you could have actually fixed it as well. In many cases I got such help were other people sent pull requests when I asked for help. The beauty of Free Software is in its power of allowing anyone to fix any issues if there is an interest.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zkat @pravi