From owner-freebsd-ports  Tue Jun  6 11: 0:11 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 106DF37BB62
	for <freebsd-ports@FreeBSD.org>; Tue,  6 Jun 2000 11:00:09 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id LAA28401;
	Tue, 6 Jun 2000 11:00:09 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Date: Tue, 6 Jun 2000 11:00:09 -0700 (PDT)
Message-Id: <200006061800.LAA28401@freefall.freebsd.org>
To: freebsd-ports@FreeBSD.org
Cc: 
From: mi@privatelabs.com
Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m
  ktemp()
Reply-To: mi@privatelabs.com
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

The following reply was made to PR ports/19047; it has been noted by GNATS.

From: mi@privatelabs.com
To: Ade Lovett <ade@lovett.com>
Cc: freebsd-gnats-submit@FreeBSD.org, ports@FreeBSD.org
Subject: Re: ports/19047: net/arpwatch patched to use tmpfile() instead of m
  ktemp()
Date: Tue, 6 Jun 2000 13:52:48 -0400 (EDT)

 On  6 Jun, Ade Lovett wrote:
 = On Tue, Jun 06, 2000 at 01:09:35PM -0400, mi@privatelabs.com wrote:
 = > Yes, thanks  for pointing  out the  obvious. I  believe, it  is also
 = > obvious that ``fp = tmpfile()'' is MUCH shorter and cleaner
 = 
 = You forgot  ".. and  potentially susceptible to  a number  of security
 = issues  which may  capable of  causing the  program, and  possibly the
 = system, to be compromised."
 
 On FreeBSD (and  OpenBSD and NetBSD) this  is NOT TRUE, and  we all know
 it.
 
 = We're trying to get rid of security issues in ports, not add them in.
 
 My  patch removes  a potential  security issue  in the  BSD port  of the
 arpwatch software. Please proof otherwise.
 
 = > The fact that  I happen to disagree with the  man-page does not mean
 = > that I did not read it. I did. FreeBSD does not need to care:
 =
 = Irrelevant. There  is a  well-defined, secure, interface  for creating
 = temporary files. It's called mkstemp(). Use it.
 
 tmpfile()  is just  as  well defined  and, on  FreeBSD,  secure. I  also
 happened to like it better then mkstemp().
  
 = The patch as it stands should  absolutely not go into the tree, unless
 = y'all just want the port marked FORBIDDEN= "bungled security patch"
 
 It  is sad,  that you  let your  emotions blind  you. If  there will  be
 someone to  knock some sense into  you, by, for example,  overriding the
 authority you remind "us'all" about, I'll certainly applaud that person.
 
 	-mi
 
 
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message