From owner-cvs-all  Thu Oct  5 23:37:23 2000
Delivered-To: cvs-all@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP
	id D773737B66F; Thu,  5 Oct 2000 23:37:18 -0700 (PDT)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id e966aLk23307;
	Thu, 5 Oct 2000 23:36:21 -0700 (PDT)
Date: Thu, 5 Oct 2000 23:36:20 -0700
From: Alfred Perlstein <bright@wintelcom.net>
To: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Cc: Kris Kennaway <kris@citusc.usc.edu>,
	Brian Somers <brian@Awfulhak.org>, Ruslan Ermilov <ru@FreeBSD.ORG>,
	cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/usr.bin/finger finger.c
Message-ID: <20001005233620.B27736@fw.wintelcom.net>
References: <ru@FreeBSD.org> <200010051715.e95HFVn34590@hak.lan.Awfulhak.org> <20001005135833.A87853@citusc17.usc.edu> <20001005142209.G27736@fw.wintelcom.net> <20001006074832.A9078@curry.mchp.siemens.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <20001006074832.A9078@curry.mchp.siemens.de>; from andre.albsmeier@mchp.siemens.de on Fri, Oct 06, 2000 at 07:48:32AM +0200
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Andre Albsmeier <andre.albsmeier@mchp.siemens.de> [001005 22:48] wrote:
> On Thu, 05-Oct-2000 at 14:22:09 -0700, Alfred Perlstein wrote:
> > > 
> > > You know, perhaps after two security holes we should just
> > > back this darn thing out until someone can review it?
> > 
> > I think a good policy about this is to:
> > 
> > 1) look at the feature and patch
> > 2) think about it really hard
> > 3) realize how f*cking useless and dangerous it is
> > 4) tell the submitter "no, sorry but i can't possibly put this in!"
> > 5) sit back and have a beer to congratulate yourself after not
> >    introducing yet another security issue.
> > 
> > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin%2F11997
> 
> The patch described in the PR mentioned above is NOT useless.
> Maybe for you since you either got /var/spool/samba and
> /var/spool/lpd each on different 8GB filesystems or because
> all of your 1200 dpi color printers are currently out for
> repair.
> 
> Of course, a patch can contain security holes -- especially
> if the submitter mentiones it in the text and is explicitly
> asking for reviewing it.
> 
> I wouldn't judge things useless only because _I_ can't use it...

In the form it was in the PR, ie "huge gaping security hole the
size of Montana" it was entirely useless.

I should have said "useless/dangerous", not all useless patches
are dangerous but all dangerous patches are useless until corrected.

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
"I have the heart of a child; I keep it in a jar on my desk."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message