On Fri, May 29, 2020 at 03:30:12PM +0200, Klemens Nanni wrote:
>
> Firefox is simply missing an unveil to the program, with it added the
> addon just works and I can fill input forms just perfectly.
>
> Also, shouldn't we add CVS revision markers to all files under
> /etc/firefox/? Otherwise diffing them makes it hard for users to see
> when particular entries where added without consulting the ports tree.
sure, if the parser supports comments i dont see a downside..
> Note that I'd like to see this in the firefox file instead of a
> keepassxc readme or so, otherwise package upgrades wouldn't pick up
> future changes in those unveil.* files since keepassxc users have edited
> them.
well, i'm not a fan. Will we have to add unveils for every exception
under the sun ? That will unveil that path for all users, including the
ones who dont have keepassxc. What if a malicious pkg then installs a
malicious script at this location ?
yeah i know at that point you have other problems, but you get the point
- unveil/pledge only what's *needed*.. - especially for things under
usr/local. right now only /usr/local/lib/firefox and
/usr/local/bin/gio-launch-desktop have rx.
i'd rather have it in a README, be it firefox or keepassxc, you could
have a 'Integration with keepassxc browser addon' seection like the
'3rd-Party MIME Handlers' section, or a 'Integration with browsers'
README in security/keepassxc.
The pseudo-justification "package upgrades wouldn't pick up future
changes in those unveil.* files since keepassxc users have edited them"
is true for any @sample file that you edit (in any package), i dont see
why there should be an exception for that case. pkg_add -u tells you
some file were modified and have to be merged by hand or with sysmerge
-p...
Landry
No comments:
Post a Comment