← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #71781

[Bug 1446212] Re: Support installing localization data from click packages

  Thread PreviousDate PreviousThread Next 
I'm concerned about adding translations from potentially untrusted
sources -- format strings are a ripe source of security issues in some
languages and allowing any random person to provide translated strings
for programs that handle private data is potentially highly dangerous.

Python, Ruby, Perl, PHP, all make it easy to dump arbitrary variables
this way; Lua looks like it can easily be configured to do so as well,
if authors choose to use such functionality. C, C++ format strings can
read and write data into and out of memory nearly arbitrarily.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1446212

Title:
  Support installing localization data from click packages

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Confirmed
Status in ubuntu-ui-toolkit package in Ubuntu:
  Incomplete

Bug description:
  It would be nice if it were possible to add support to a new language/locale by just installing a click package.
  This would have several benefits:
  1) People could easily add support for non officially supported languages
  2) Languages would be updated independently from the system image
  3) Some space could be freed from the image, if some languages get moved to click packages

  I'm entering this bug against ubuntu-ui-toolkit, because I guess it
  would need some change to get the correct path where translations are
  installed (it now calls bindtextdomain with /usr/share/locale, while
  it should fallback to ~/.local/share/locale/ if the language does not
  exist in the system path), but there surely are other projects that
  would need to be changed.

  For sure, we would need a click hook to move the translations in
  ~/.local/share/locale/, as well as changes to the apparmor policy to
  read from that directory.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1446212/+subscriptions

References

  Thread PreviousDate PreviousThread Next