From owner-cvs-all Thu Oct 5 23:37:23 2000 Delivered-To: cvs-all@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id D773737B66F; Thu, 5 Oct 2000 23:37:18 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e966aLk23307; Thu, 5 Oct 2000 23:36:21 -0700 (PDT) Date: Thu, 5 Oct 2000 23:36:20 -0700 From: Alfred Perlstein To: Andre Albsmeier Cc: Kris Kennaway , Brian Somers , Ruslan Ermilov , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/usr.bin/finger finger.c Message-ID: <20001005233620.B27736@fw.wintelcom.net> References: <200010051715.e95HFVn34590@hak.lan.Awfulhak.org> <20001005135833.A87853@citusc17.usc.edu> <20001005142209.G27736@fw.wintelcom.net> <20001006074832.A9078@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20001006074832.A9078@curry.mchp.siemens.de>; from andre.albsmeier@mchp.siemens.de on Fri, Oct 06, 2000 at 07:48:32AM +0200 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Andre Albsmeier [001005 22:48] wrote: > On Thu, 05-Oct-2000 at 14:22:09 -0700, Alfred Perlstein wrote: > > > > > > You know, perhaps after two security holes we should just > > > back this darn thing out until someone can review it? > > > > I think a good policy about this is to: > > > > 1) look at the feature and patch > > 2) think about it really hard > > 3) realize how f*cking useless and dangerous it is > > 4) tell the submitter "no, sorry but i can't possibly put this in!" > > 5) sit back and have a beer to congratulate yourself after not > > introducing yet another security issue. > > > > http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin%2F11997 > > The patch described in the PR mentioned above is NOT useless. > Maybe for you since you either got /var/spool/samba and > /var/spool/lpd each on different 8GB filesystems or because > all of your 1200 dpi color printers are currently out for > repair. > > Of course, a patch can contain security holes -- especially > if the submitter mentiones it in the text and is explicitly > asking for reviewing it. > > I wouldn't judge things useless only because _I_ can't use it... In the form it was in the PR, ie "huge gaping security hole the size of Montana" it was entirely useless. I should have said "useless/dangerous", not all useless patches are dangerous but all dangerous patches are useless until corrected. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message