Re: New package: please-0.3.16

[edneville <edneville@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 2307 bytes --]

New comment by edneville on void-packages repository

https://github.com/void-linux/void-packages/pull/27037#issuecomment-742808466

Comment:
@ericonr:
> Yes, there's something to be said for providing simpler security tools that can greatly increase the general security, due to being simpler to deploy. At the same time, we still have to minimally ensure that these tools don't introduce new holes.

This is a good attitude, and one that makes me confident in Void for the same reasons that I like Debian.

> Since you're introducing a new tool into the field, the burden of proof for that is mostly on you. If I don't merge this new package, not much changes, and people who really want it can install it from elsewhere. If we do merge this package and someone finds an exploit or issue with it, then we (Void) share the responsibility for the number of affected people, since including it in our repository counts as vetting it.  

The codebase is particularly small if that helps reduce concerns over attack surface, really Rust's Regex is doing the heavy lifting here.

@travankor:
> Note that Void has [opendoas](https://github.com/duncaen/opendoas), based on a similar tool in OpenBSD's src.

I've looked at doas, which, for similar reasons to this project desired a smaller code base than sudo.

> Secondly, there seems to already be a similar, older tool called [please](https://github.com/gblach/please), packaged in FreeBSD, which can be a source of confusion for everyone. This project is called `pleaser` on crates.io, so I don't know what the reason is for the dual naming scheme.

I used 'please' in as I thought that if someone wanted a sandwich they should ask 'please' first :) As I'm now aware of prior naming I'll update the project name where it isn't already 'pleaser'.

I was aware of 'doas' but not that FreeBSD had a tool named 'please' too, I suppose it came from similar thinking.

Importantly for this project, neither doas or gblach's please have regex command matching. doas is more limited than 'sudo' in that you cannot specify a range either, but if someone uses wildcards in a sudo argument without negations afterwards will likely suffer unfairly. This effort is to improve things, hopefully with a small codebase there will be fewer pains all round.