Date: Tue, 3 Apr 2001 18:20:04 -0700 (PDT) From: Dima Dorfman <dima@unixfreak.org> To: freebsd-doc@freebsd.org Subject: Re: docs/26286: format string warnings in man pages. Message-ID: <200104040120.f341K4R75749@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/26286; it has been noted by GNATS. From: Dima Dorfman <dima@unixfreak.org> To: Bengt Richter <bokr@accessone.com> Cc: freebsd-gnats-submit@freebsd.org Subject: Re: docs/26286: format string warnings in man pages. Date: Tue, 03 Apr 2001 18:15:57 -0700 Bengt Richter <bokr@accessone.com> writes: > (I am implicitly suggesting that security risk documentation > be accumulated in a single place for reference and browsing. > This would serve several goals at once, not least of which is > a single instance of explanatory text to update when appropriate. We already have this: http://www.FreeBSD.org/security/#spg In a perfect world, most security bugs being found right now wouldn't exist because all programmers would read that, and all the sites that page links to, and know that passing the wrong data to the wrong format specifier is a recipe for [security] disaster; unfortunately, we don't live in a perfect world. Some programmers don't even bother reading the man pages to look for security warnings, and many more didn't read that page. The best thing we can do is stick this information in their face. Sticking outdated, wrong, or incomplete information in their face doesn't make the problem better, however. That was my original concern; if the information mentioned in each man page is incomplete (and the patch submitted was), it may lead some to think that by reading that they know enough, and not bother to investigate further. That said, I'd like to make it clear that I'm not opposed to the patch in general. I'm just concerned that keeping it up to date will be a pretty big problem, and thus it may end up doing more harm than good. Regards, Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104040120.f341K4R75749>