Le Mardi 3 Mai 2005 16:42, Thijs Kinkhorst a écrit :
> On Tue, May 3, 2005 16:24, Pierre Habouzit wrote:
> > No I really believe that we should have some strict (not
> > necessarily a lot, but sensible ones) requirements and quality
> > standards. and the magic quote invariability is a sensible one for
> > a library (e.g.).
>
> Isn't this something that's up to individual maintainers? If you want
> to package some piece of software, you review it to make sure that
> you are willing to maintain it for a londer period of time and are
> able to support it as long as it's in stable. If you can already
> foresee that you can't or won't do that for a specific piece of
> software you won't be packaging it, will you?
sure, but maybe some crazy maintainer would package one day some lib
that does not behave well wrt the gpc_quotes. this will lead into
security problems (sql injections). and will put burden on the security
teams shoulders, and that's not fair.
if there is some minimalistic requirements, I really believe we can
drastically reduce the possibility for such problems to arise.
I believe you know the 'strtok' function (in C). I quote the man page
here :
[...]
BUGS
Never use these functions.
[...]
this souds like beeing obvious to a lot of C programmers, but there is
still some that believe they are smarter than the others, and that
would use those crapy API, and will write a piece of shit that will
have more security problems in a week than all other existing software
in a year.
Debian is about quality. Not about having the more packages possible.
and web apps are very sensible : every security breach , is a *remote*
breach. and that has to be taken seriously.
--
·O· Pierre Habouzit
··O
OOO http://www.madism.org
Attachment:
pgpBNLXBlh9OD.pgp
Description: PGP signature