From owner-cvs-all Thu Oct 5 22:52:26 2000 Delivered-To: cvs-all@freebsd.org Received: from goliath.siemens.de (goliath.siemens.de [194.138.37.131]) by hub.freebsd.org (Postfix) with ESMTP id 335C937B503; Thu, 5 Oct 2000 22:52:21 -0700 (PDT) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer goliath.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by goliath.siemens.de (8.11.0/8.11.0) with ESMTP id e965mYC24580; Fri, 6 Oct 2000 07:48:38 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail2.siemens.de (8.11.0/8.11.0) with ESMTP id e965mXc21783; Fri, 6 Oct 2000 07:48:33 +0200 (MET DST) Received: (from localhost) by curry.mchp.siemens.de (8.11.0/8.11.0) id e965mXo31885; Date: Fri, 6 Oct 2000 07:48:32 +0200 From: Andre Albsmeier To: Alfred Perlstein Cc: Kris Kennaway , Brian Somers , Ruslan Ermilov , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/usr.bin/finger finger.c Message-ID: <20001006074832.A9078@curry.mchp.siemens.de> References: <200010051715.e95HFVn34590@hak.lan.Awfulhak.org> <20001005135833.A87853@citusc17.usc.edu> <20001005142209.G27736@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001005142209.G27736@fw.wintelcom.net>; from bright@wintelcom.net on Thu, Oct 05, 2000 at 02:22:09PM -0700 X-Echelon: BND CIA NSA Mossad KGB MI6 IRA detonator nuclear assault strike Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 05-Oct-2000 at 14:22:09 -0700, Alfred Perlstein wrote: > * Kris Kennaway [001005 13:58] wrote: > > On Thu, Oct 05, 2000 at 06:15:31PM +0100, Brian Somers wrote: > > > > ru 2000/10/05 08:56:13 PDT > > > > > > > > Modified files: > > > > usr.bin/finger finger.c > > > > Log: > > > > Do not allow `finger -m /somefile' as well. > > > > > > > > Revision Changes Path > > > > 1.21 +4 -4 src/usr.bin/finger/finger.c > > > > > > Errum, thanks. Can you mfc too ? > > > > You know, perhaps after two security holes we should just > > back this darn thing out until someone can review it? > > I think a good policy about this is to: > > 1) look at the feature and patch > 2) think about it really hard > 3) realize how f*cking useless and dangerous it is > 4) tell the submitter "no, sorry but i can't possibly put this in!" > 5) sit back and have a beer to congratulate yourself after not > introducing yet another security issue. > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin%2F11997 The patch described in the PR mentioned above is NOT useless. Maybe for you since you either got /var/spool/samba and /var/spool/lpd each on different 8GB filesystems or because all of your 1200 dpi color printers are currently out for repair. Of course, a patch can contain security holes -- especially if the submitter mentiones it in the text and is explicitly asking for reviewing it. I wouldn't judge things useless only because _I_ can't use it... -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message