FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-29-2010, 01:32 AM
Eric Smith
 
Default best practice for packing programs that use strlcpy()?

What is considered the best practice for packaging a program that uses
strlcpy()?
Is there a Fedora library that provides strlcpy() and friends?
Should I add an implmentation of strlcpy() to the package as an
additional source or patch?
Should I modify the program to not need strlcpy()? (I really don't like
this idea.)

Thanks,
Eric

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-29-2010, 01:50 AM
"Tom "spot" Callaway"
 
Default best practice for packing programs that use strlcpy()?

On 01/28/2010 09:32 PM, Eric Smith wrote:
> What is considered the best practice for packaging a program that uses
> strlcpy()?

Besides patching it to not use strlcpy?

> Is there a Fedora library that provides strlcpy() and friends?

Besides glib, no. You could probably package up libbsd for inclusion:
http://libbsd.freedesktop.org/wiki/

~spot
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-29-2010, 06:38 AM
Eric Smith
 
Default best practice for packing programs that use strlcpy()?

Tom "spot" Callaway wrote:
> You could probably package up libbsd for inclusion:
> http://libbsd.freedesktop.org/wiki/
>
That's exactly the kind of thing I was hoping to find. I've submitted a
package for review:

https://bugzilla.redhat.com/show_bug.cgi?id=559856

Thanks!
Eric

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-29-2010, 09:50 AM
"Bryn M. Reeves"
 
Default best practice for packing programs that use strlcpy()?

On Thu, 2010-01-28 at 23:38 -0800, Eric Smith wrote:
> Tom "spot" Callaway wrote:
> > You could probably package up libbsd for inclusion:
> > http://libbsd.freedesktop.org/wiki/
> >
> That's exactly the kind of thing I was hoping to find. I've submitted a
> package for review:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=559856

Be aware also that despite rumors to the contrary it's just as easy to
misuse and abuse srtl* and friends as the other string handling
routines.

Code using them should be subject to the same security review scrutiny
as code using other string mungling interfaces.

Cheers,
Bryn.

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-29-2010, 04:09 PM
Kevin Kofler
 
Default best practice for packing programs that use strlcpy()?

Eric Smith wrote:
> What is considered the best practice for packaging a program that uses
> strlcpy()?
> Is there a Fedora library that provides strlcpy() and friends?
> Should I add an implmentation of strlcpy() to the package as an
> additional source or patch?
> Should I modify the program to not need strlcpy()? (I really don't like
> this idea.)

You're the victim of a longstanding feud between people who think strlcpy
and friends are essential for security (including the OpenBSD community, who
invented them, and several application developers) and those who think
they're just useless nonstandard functions (including Ulrich Drepper, the
glibc maintainer), with no resolution in sight, unfortunately. :-(

Well, technically:
> Is there a Fedora library that provides strlcpy() and friends?
libkdefakes.so.5 provides strlcat and strlcpy, but as that's part of kdelibs
it's probably not the answer you were looking for. ;-)

libbsd sounds like a decent solution, probably the best you'll get due to
the conflict cited above.

Kevin Kofler

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-30-2010, 08:47 AM
Eric Smith
 
Default best practice for packing programs that use strlcpy()?

I guess I should have known that this would open a can of worms.

I'm NOT trying to advocate that anyone write new software using
strlcpy() etc. I'm NOT trying to claim that these functions are "safe"
or better than the alternatives. I'm only trying to support the porting
of existing BSD packages to Fedora.

Some people seem to think that the way to do that is to rewrite/patch
the packages to not use strlcpy(). My opinion is that doing that will
make the software less reliable, not because strlcpy() is inherently
reliable, but because replacing each instance of it with new
hand-written replacement code is likely to introduce new bugs, make it
more difficult to accept updates from upstream, and cause more long-term
package maintenance problems for Fedora. Having a single, maintained
library providing this and a few other BSD-specific functions is not a
perfect solution, but there is no perfect solution.

I could still use a package reviewer if anyone is willing to do that.

Thanks!
Eric

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 01-30-2010, 04:32 PM
shmuel siegel
 
Default best practice for packing programs that use strlcpy()?

On 1/29/2010 4:50 AM, Tom "spot" Callaway wrote:
> On 01/28/2010 09:32 PM, Eric Smith wrote:
>
>> What is considered the best practice for packaging a program that uses
>> strlcpy()?
>>
> Besides patching it to not use strlcpy?
>
Is there a reason (from a programming point of view) to avoid
strlcpy/strlcat?

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 02-01-2010, 10:00 AM
"Daniel P. Berrange"
 
Default best practice for packing programs that use strlcpy()?

On Sat, Jan 30, 2010 at 07:32:06PM +0200, shmuel siegel wrote:
> On 1/29/2010 4:50 AM, Tom "spot" Callaway wrote:
> > On 01/28/2010 09:32 PM, Eric Smith wrote:
> >
> >> What is considered the best practice for packaging a program that uses
> >> strlcpy()?
> >>
> > Besides patching it to not use strlcpy?
> >
> Is there a reason (from a programming point of view) to avoid
> strlcpy/strlcat?

They are solving the wrong problem. Just use asprintf() and avoid the
entire issue of fixed size buffers in the first place. There are times
when fixed size buffers are important, but much of the C code I see that
uses strcat() would be better off re-written to use asprintf()

Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 05:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org