Date: Tue, 6 Jun 2000 13:52:48 -0400 (EDT) From: mi@privatelabs.com To: Ade Lovett <ade@lovett.com> Cc: freebsd-gnats-submit@FreeBSD.org, ports@FreeBSD.org Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m ktemp() Message-ID: <200006061752.NAA90282@misha.privatelabs.com> In-Reply-To: <20000606122221.J38522@lovett.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Jun, Ade Lovett wrote: = On Tue, Jun 06, 2000 at 01:09:35PM -0400, mi@privatelabs.com wrote: = > Yes, thanks for pointing out the obvious. I believe, it is also = > obvious that ``fp = tmpfile()'' is MUCH shorter and cleaner = = You forgot ".. and potentially susceptible to a number of security = issues which may capable of causing the program, and possibly the = system, to be compromised." On FreeBSD (and OpenBSD and NetBSD) this is NOT TRUE, and we all know it. = We're trying to get rid of security issues in ports, not add them in. My patch removes a potential security issue in the BSD port of the arpwatch software. Please proof otherwise. = > The fact that I happen to disagree with the man-page does not mean = > that I did not read it. I did. FreeBSD does not need to care: = = Irrelevant. There is a well-defined, secure, interface for creating = temporary files. It's called mkstemp(). Use it. tmpfile() is just as well defined and, on FreeBSD, secure. I also happened to like it better then mkstemp(). = The patch as it stands should absolutely not go into the tree, unless = y'all just want the port marked FORBIDDEN= "bungled security patch" It is sad, that you let your emotions blind you. If there will be someone to knock some sense into you, by, for example, overriding the authority you remind "us'all" about, I'll certainly applaud that person. -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006061752.NAA90282>