bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs: temporary file handling fixes


From: Derek Robert Price
Subject: Re: cvs: temporary file handling fixes
Date: Mon, 26 May 2003 23:17:43 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Solar Designer wrote:

However, looking at 1.12.1, I notice that the only two scripts which
will now use mktemp (if enabled at configure time) are cvsbug and
rcs2log, and the uses by cvsbug are buggy in that the file name in
$TEMP will be re-used multiple times.  Yes, Red Hat has this bug in
their patch too.

I don't understand why you consider our fixing the other scripts in
contrib/ and the documentation misguided.


I forget why, I'll see if I can find time to review them again soon.

The fixes that might be usable are going to need at least ChangeLog entries to accompany them,

Obviously, but:

- it doesn't make sense to write full ChangeLog entries before we know
the fixes are even getting in (and I don't expect you to include them
without any changes at all);


Well, yes it does when I can't figure out the purpose of your changes. A more complete abstract would help immensly in this case as well, but if I can't decipher the reason for any part of a patch when reviewing it, I find ChangeLog entries can be useful.

- CVS is just one of over 120 packages in Owl and we're primarily
concerned with making our distribution better; we also like to share
our changes with upstream maintainers, but we can't afford to spend
much extra time on the integration of our changes upstream.


If I don't understand the reason for your changes I am hardly going to incorporate them. If you plan on continuing to maintain a distribution of CVS, I expect it would be useful to you to have those changes incorporated upstream.

some may need more documentation or tests in sanity.sh, and all will need to have their purposes explained more fully to be accepted. Please see the HACKING file in the top level of the CVS source distribution for more on how to submit patches. Please note in particular that they should be sent to the <address@hidden> mailing list and not directly to me.

This all is fine with me (although I won't necessarily have the time
to submit any of this officially), but it doesn't make a valid
procedure for reporting security problems and proposing fixes to them.
In particular, I was looking for a (security) bug reporting address
that wouldn't automatically reach a public mailing list, -- but it
seems you find unsafe temporary file handling to be a minor enough
issue to be discussed in public.  This is OK with me, but I thought
that some vendor-sec members could prefer to handle it differently.

Again, sorry for bouncing a possibly sensitive email to bug-cvs so quickly, but unless clearly and believably labeled as sensitive, it is practically a reflex action for me to bounce emails about CVS from senders I don't recognize to address@hidden when they contain patches. I get a lot of email and have little enough free time as it is.

Derek

--
               *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
--
There are no absolutes.







reply via email to

[Prev in Thread] Current Thread [Next in Thread]