On Sun, 2003-02-16 at 12:51, Guido van Rossum wrote: > Zack's changes to tempfile.py were *not* checked into Python 2.2 -- > they require API changes that are difficult to justify. (The changes > by Zack that you remember being checked into 2.2 were execve.) > > A problem with Zack's tempfile changes is that many uses of mktemp are > perfectly safe, and the warning is so annoying that I decided to > disable the warning. > > I'm not quite sure what to do now. If the exec problems were fixed in 2.2, doesn't that address the currently reported vulnerability? I glanced at the Debian bug report and saw that it was reporting an exploit against 2.1.3. I see some value in doing a 2.1.4 release, but not enough value to justify the work. Aren't the changes in tempfile primarily the addition of new functions (mkstemp, mkdtemp)? I think it would be good to backport new functions that address security issues. Were there changes to the behavior of mktemp(), too? It seems hard to justify an incompatible change to existing functions. Jeremy
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4