There are 2 *blocker* tickets for the sage-5.4 release and since these
are security-related, I absolutely think these must be fixed. I'm open
for discussing /how/ they should be fixed, but not /whether/ they should
be fixed. Both tickets put users running Sage (in particular doctests)
at risk from evil users on their system, so this is a huge concern for
shared systems.
#13579: Python sys.path security risk
This is the ticket which has been discussed a lot. I absolutely think
we should fix Python's bad sys.path behaviour. There is a patch up for
review at
http://trac.sagemath.org/sage_trac/ticket/13579
#13595: LD_LIBRARY_PATH potential security risk
In Sage, LD_LIBRARY_PATH ends with ":", which means the current working
directory will be searched also. This must be fixed because of obvious
security dangers.