rfc/patch: debuginfod client $DEBUGINFOD_PROGRESS env var

[Frank Ch. Eigler]

Hi -

> > That's not that serious a category of concern.  Environment variables
> > are not under control of untrusted agents.  FWIW, $DEBUGINFOD_CACHE is
> > considerably more dangerous in that regard (cache cleaning!).
> 
> You have a way to make me even more scared of security issues than less
> :)
> 
> It would actually be pretty bad if a user made the mistake to set
> DEBUGINFOD_CACHE to e.g. their home directory by mistake.

Yeah, those bothering to override the default path have to be careful.

> Could we have some extra safeguard there? e.g. If the directory already
> exist check whether it is completely empty or if it isn't empty it
> contains a cache_clean_interval file? Or at least only delete files
> that follow our creation pattern:
>  <build-id-hexstring>/[debuginfo|executable|source]?

This sounds prudent.  Will work on that.


- FChE