That is absolutely insecure. Upstream should probably provide a way to provide overrides to those files, which probably means also dealing with prioritizing an override location over /usr/share defaults. Some packages have used /opt to do things like this in the past. Personally, I try to avoid using /opt with system packages, because it differentiates how things are organized for packages in the root filesystem. Some options would be things like: $HOME/.config/<package>/... or some XDG directory for overrides. Regards, Kevin On Sat, Jul 31, 2021 at 01:26:00PM +0000, Vince via aur-general wrote:
Hi everyone! Thank you for the help on the the thread eariler, I found the advice and examples very useful. I have posted a request for review of my PKGBUILD over IRC, but I would appreciate any criticism here too.
I have uploaded the PKGBUILD, and two files that would come with it (launcher.desktop and launcher.sh). There are a couple decisions I made that are unconventional, so I'll list them here:
1. As George suggested, I renamed my package from `rexpaint-bin` to just `rexpaint`, since there are no sources available.
2. The server hosting the program blocks Curl's user agent. As far as I can tell, the convention is to use "Mozilla" as a user agent instead. However, I have opted to use "PKGBUILD" as the agent, so I avoid accidentally messing up any statistics that may be collected upstream.
3. I have used standard package permissions as far as I can tell, except for `/usr/share/rexpaint/images`. The program saves data into this directory, so it must be 777.
4. I am not sure what to do with `/usr/share/rexpaint/data`. It contains data such as fonts and palettes, which might be edited by the user during usage. Right now I have assumed that the user will not do that, so it is not listed in `$backup` and its mode is 755. I have sent an email upstream asking about this, and am waiting for a response.
5. The program tries to write logs into the Working Directory (`/usr/share/rexpaint`), but it cannot do this because I have set its mode to 755. However, giving the everyone write permissions in `/usr/share/rexpaint` seems insecure. Please advise.
As stated before, I have emailed upstream to ask if it's okay that I publish this packaging to the repositories. This is not required by the license, but I am too young to be making enemies, and it would be nice to have some upstream. I will publish it when I get the goahead, or if he takes more than 24h to reply.
All feedback is appreciated.
Thank you in advance, Vincent
-- Kevin Morris Software Developer Identities: - kevr @ Libera