if it's not broken ... ?

I have a little script that displays a summary of when I last uploaded each Debian package I maintain, as well as the Standards-Version each package is at. After stable releases or once or twice a year, I like to go through and upload all my packages again, often on some pretext of policy changing, but really just to see what breaks.

So I did that today for a few of them, mostly some old games that I still maintain for no particular reason. Unfortunatly I also took the time to look at the security profiles of these games, which were sgid games. I've felt for some time that keeping sgid games in Debian is only inviting security problems, since most users play games on single user systems nowadays, and the global scores files we get with a sgid bit are just not worth it. Except for nethack, and maybe things like bsdgames.

Anyway, this led me to looking at the code, and so I ended up finding a couple of security holes in xemeraldia and xgalaga. These have been fixed, and these games no longer have global high score files in Debian, but now that I'm two for two with checking this, I'm almost scared to look at the rest of my games.

Moral of the story: Sometimes touching something that's not broken turns out to be worth it; and also, if you have a setgid game that was written before 2003^W6ish, or any setuid game, please fix it so it does not need any special permissions to run, because finding these security holes really sucks.