When emerging =dev-tex/texlive-latexextra-2009, I get the following QA Security notices: QA Security Notice: - /usr/share/texmf-dist/tex/latex/msg/french_msg-msg.tex will be a world writable file. - This may or may not be a security problem, most of the time it is one. - Please double check that texlive-latexextra-2009 really needs a world writeable bit and file bugs accordingly. QA Security Notice: - /usr/share/texmf-dist/tex/latex/msg/german_msg-msg.tex will be a world writable file. - This may or may not be a security problem, most of the time it is one. - Please double check that texlive-latexextra-2009 really needs a world writeable bit and file bugs accordingly. QA Security Notice: - /usr/share/texmf-dist/tex/latex/msg/msg-msg.tex will be a world writable file. - This may or may not be a security problem, most of the time it is one. - Please double check that texlive-latexextra-2009 really needs a world writeable bit and file bugs accordingly. QA Security Notice: - /usr/share/texmf-dist/tex/latex/msg/norsk_msg-msg.tex will be a world writable file. - This may or may not be a security problem, most of the time it is one. - Please double check that texlive-latexextra-2009 really needs a world writeable bit and file bugs accordingly. Reproducible: Always Steps to Reproduce:
(In reply to comment #0) > When emerging =dev-tex/texlive-latexextra-2009 ... Sorry, that should say =dev-texlive/latexextra-2009
Which versions of zip/unzip/... have you installed?
I can confirm this. zip versions: [I] app-arch/unzip Available versions: 5.52-r2 6.0-r1 {bzip2 unicode} Installed versions: 6.0-r1(07:25:53 PM 04/25/2010)(bzip2 unicode) Homepage: http://www.info-zip.org/ Description: unzipper for pkzip-compressed files [I] app-arch/zip Available versions: 2.32-r1 3.0 {bzip2 crypt unicode} Installed versions: 3.0(07:27:29 PM 04/25/2010)(bzip2 crypt unicode) Homepage: http://www.info-zip.org/ Description: Info ZIP (encryption support)
Other packages affected: jkarlson@schur: ~ $ qfile $(find / -perm -o+w -not -type l 2>/dev/null | egrep ^/usr/share/texmf-dist/) | sed 's/ (.*//' | uniq dev-texlive/texlive-latexextra dev-texlive/texlive-fontsextra dev-texlive/texlive-publishers dev-texlive/texlive-metapost
(In reply to comment #2) > Which versions of zip/unzip/... have you installed? Currently I have zip-3.0 and unzip-6.0-r1 installed. I can't figure out where those get used though!
Perhaps using the tar option '--no-same-permissions' in texlive-module_src_unpack() in /usr/portage/eclass/texlive-module.eclass would help, or would that introduce subtle bugs elsewhere?
(In reply to comment #6) > Perhaps using the tar option '--no-same-permissions' in > texlive-module_src_unpack() in /usr/portage/eclass/texlive-module.eclass would > help, or would that introduce subtle bugs elsewhere? > we want to keep the +x bit when it's set, that's why I changed doins to cp -pR in src_install some years ago.
should be fixed now with my latest commit to texlive-module.eclass; it'll force a 022 umask
