From owner-freebsd-doc Tue Apr 3 18:20: 9 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6960037B722 for ; Tue, 3 Apr 2001 18:20:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f341K4R75749; Tue, 3 Apr 2001 18:20:04 -0700 (PDT) (envelope-from gnats) Date: Tue, 3 Apr 2001 18:20:04 -0700 (PDT) Message-Id: <200104040120.f341K4R75749@freefall.freebsd.org> To: freebsd-doc@freebsd.org Cc: From: Dima Dorfman Subject: Re: docs/26286: format string warnings in man pages. Reply-To: Dima Dorfman Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR docs/26286; it has been noted by GNATS. From: Dima Dorfman To: Bengt Richter Cc: freebsd-gnats-submit@freebsd.org Subject: Re: docs/26286: format string warnings in man pages. Date: Tue, 03 Apr 2001 18:15:57 -0700 Bengt Richter writes: > (I am implicitly suggesting that security risk documentation > be accumulated in a single place for reference and browsing. > This would serve several goals at once, not least of which is > a single instance of explanatory text to update when appropriate. We already have this: http://www.FreeBSD.org/security/#spg In a perfect world, most security bugs being found right now wouldn't exist because all programmers would read that, and all the sites that page links to, and know that passing the wrong data to the wrong format specifier is a recipe for [security] disaster; unfortunately, we don't live in a perfect world. Some programmers don't even bother reading the man pages to look for security warnings, and many more didn't read that page. The best thing we can do is stick this information in their face. Sticking outdated, wrong, or incomplete information in their face doesn't make the problem better, however. That was my original concern; if the information mentioned in each man page is incomplete (and the patch submitted was), it may lead some to think that by reading that they know enough, and not bother to investigate further. That said, I'd like to make it clear that I'm not opposed to the patch in general. I'm just concerned that keeping it up to date will be a pretty big problem, and thus it may end up doing more harm than good. Regards, Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message