Friday 12 October 2012
cups-pk-helper & desktop-file-utils releases
In the last two weeks, I took some time to review patches submitted for cups-pk-helper and desktop-file-utils, and worked a bit on the code. This means new releases, which keeps me on track for the "two releases a year" schedule followed for those software :-)
It is recommended to update to the 0.2.3 version of cups-pk-helper, due to a security flaw in the old code (CVE-2012-4510). I found it while fixing a compiler warning about a return value being ignored; re-reading that old code, I realized that it was, hrm, not really solid, that it was not checking permissions, and that it could actually be abused to overwrite any file (among other issues)... Thankfully, this can only be exploited if the user explicitly approves the action since it's protected with polkit authentication (using the admin password). So this is not as severe as it could have been. I want to thank Sebastian Krahmer from the SUSE Security Team, who was really helpful in reviewing my iterative fixes.
The other changes are build-time compatibility with cups 1.6, some additional paranoid processing of the input we get via dbus, and updated translations (thanks to transifex).
Update: the 0.2.3 tarball had a small bug when detecting the cups version, try 0.2.4 instead ;-)
The 0.21 release of desktop-file-utils is mainly about an update of the validator to deal with several recent (and not so recent) changes in the XDG Menu specification: a main category is not required anymore (although still recommended if one main category makes sense for the application), Science is now a main category, and new categories have been registered (including the Spirituality one, that has been discussed years ago).
The validator now also correctly handles the new values for the
AutostartCondition field used by GNOME 3, and features some experimental hints in the output for .desktop files that could possibly be improved. Those hints are experimental since I'm unsure if they will really help, or just annoy people (note that they can be ignored with the
--no-hints option). At the moment, they only deal with categories, but I guess it shouldn't be hard to find more hints to add (such as
hey, you're missing an icon!).
Of course, while working on desktop-file-utils, I took a look at some patches and issues that were recently discussed on the xdg mailing list, and pushed some changes to the menu specification. I'm a bit sad about the fact that nearly nobody is actively working on most specs (blaming myself too, since I look at patches/issues only a few times a year) and that feedback about the proposed changes is rare (these days, I'd say getting two or more people to approve a change is an exception). It'd be great to have a few people step up and bring new energy to this effort!