You are correct that we have sudo, but having sudo as a known decision does not mean other things need to be left open.
No, the bug was serious, breaking many scripts.
I did an extensive search on the forum about the use of busybox.suid and I found this, for example:
http://forum.tinycorelinux.net/index.php/topic,24512.msg155587.html#msg155587It is just an example but it is fine for a general consideration: existing script might call busybo.suid included those are embedded into TCZ extensions. This makes the single busybox file not viable, at first glance. To address this problem, I have created a script named busybox.suid that redirect to these calls to busybox. So the system is not aware that everything has been aggregate into one single executable.
About security: you are not going to remove sudo, IMHO. So, the busybox single file do not add insecurity to the current configuration. Moreover, busybox is open source and its code is deeply checked. So, it can be trusted that it drops suid in a safe way.
Then, the only remaining issue is about violation against /etc/busybox.conf. This file is included into rootfs.gz so its initial permissions are safely/correctly set. This means that ownership/permission/content will be reset at any boot. However, the user using sudo might inadvertently changed the permissions/ownership but these changes will not last and we cannot defend the system against the users especially if they manage it by a passwordless sudo.
So, at the end of the day the only remaining security concern is about sudo not busybox.
Soon, Tinycore Editor will be ready also for x86 32bit - by now it is ready for x86 64bit. I suggest to give to it a try, loading an Xserver and doing some common stuff to check if any problem will arise. I suggest to use the v0.4.9 in such a way, we will have a reference point to check each others any kind of issue.
https://github.com/robang74/tinycore-editor/archive/refs/tags/v0.4.9.tar.gzI also suggest to use meta-packages: after the first ISO/USB image has been produced do
cd tinycore
sudo ./tczmetamerge.sh
cd ..
./make.sh iso (or image)
In this way and since the tcz/*-meta.tcz* will be removed, the ISO/USB image produced will use meta-package which aggregate the TCZ in four onion rings: sshonly, usbkey, develop, devtools.
Thank you,
-R