Le Mardi 3 Mai 2005 16:42, Thijs Kinkhorst a écrit : > On Tue, May 3, 2005 16:24, Pierre Habouzit wrote: > > No I really believe that we should have some strict (not > > necessarily a lot, but sensible ones) requirements and quality > > standards. and the magic quote invariability is a sensible one for > > a library (e.g.). > > Isn't this something that's up to individual maintainers? If you want > to package some piece of software, you review it to make sure that > you are willing to maintain it for a londer period of time and are > able to support it as long as it's in stable. If you can already > foresee that you can't or won't do that for a specific piece of > software you won't be packaging it, will you? sure, but maybe some crazy maintainer would package one day some lib that does not behave well wrt the gpc_quotes. this will lead into security problems (sql injections). and will put burden on the security teams shoulders, and that's not fair. if there is some minimalistic requirements, I really believe we can drastically reduce the possibility for such problems to arise. I believe you know the 'strtok' function (in C). I quote the man page here : [...] BUGS Never use these functions. [...] this souds like beeing obvious to a lot of C programmers, but there is still some that believe they are smarter than the others, and that would use those crapy API, and will write a piece of shit that will have more security problems in a week than all other existing software in a year. Debian is about quality. Not about having the more packages possible. and web apps are very sensible : every security breach , is a *remote* breach. and that has to be taken seriously. -- ·O· Pierre Habouzit ··O OOO http://www.madism.org
Attachment:
pgpBNLXBlh9OD.pgp
Description: PGP signature