Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#58559 - [gitlab][gitlab-shell] Packages shouldn't provide secret files
Attached to Project:
Community Packages
Opened by Jonas Hahnfeld (hahnjo) - Saturday, 12 May 2018, 13:19 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Sunday, 29 July 2018, 15:11 GMT
Opened by Jonas Hahnfeld (hahnjo) - Saturday, 12 May 2018, 13:19 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Sunday, 29 July 2018, 15:11 GMT
|
DetailsEveryone should generate their own secrets, the packages shouldn't provide known (= insecure) default values. This might need documentation in the wiki.
|
This task depends upon
Closed by Sven-Hendrik Haase (Svenstaro)
Sunday, 29 July 2018, 15:11 GMT
Reason for closing: Won't fix
Additional comments about closing: These packages already have a note to the user to install a secure bytestring there. The secret files in both cases need to be there during installation and I think it makes sense to provide them in the package so that permissions are at least correct.
Sunday, 29 July 2018, 15:11 GMT
Reason for closing: Won't fix
Additional comments about closing: These packages already have a note to the user to install a secure bytestring there. The secret files in both cases need to be there during installation and I think it makes sense to provide them in the package so that permissions are at least correct.
Comment by Sven-Hendrik Haase (Svenstaro) -
Monday, 14 May 2018, 09:15 GMT
It needs the secrets to compile/install. I suppose I could remove them again after that is done. It's likely a sane choice to force users to generate their own secrets. Can you make a patch for both packages that also adds notes to the .install files which makes users aware that this is something they have to do?