Re: difflog.pl and "security"

[Peter Stephenson <pws@csr.com>]

On Sun, 02 Dec 2007 17:45:19 -0800
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Dec 2,  4:40pm, Clint Adams wrote:
> }
> } There seems to be some excitement[1] about the tempfile handling in
> } difflog.pl.
> 
> I'll bet the number of times difflog.pl has been run in the last four
> years, by anyone, could be counted on one hand.  Why would Gentoo even
> include it in the packages?  It's strictly a tool for those maintaining
> two zsh code branches in parallel.

Yes, I'm more worried about the implication that anything distributed will
be assumed to be robust for any usage.  In the usage for which difflog.pl
is supplied, security is not an issue since you're diffing two publicly
available logs.  People need to be discouraged from thinking the same
script will work as a heavy-duty tool for logs that might need more
security.

Maybe we should simply leave it out of the distribution (but leave it in
the archive), since it's essentially no use unless you have a CVS tree.  It
might be worth adding a new list in .distfiles to indicate this...

It looks like the "distfiles" stuff isn't yet documented, as far as I can
see.

Index: Etc/zsh-development-guide
===================================================================
RCS file: /cvsroot/zsh/zsh/Etc/zsh-development-guide,v
retrieving revision 1.14
diff -u -r1.14 zsh-development-guide
--- Etc/zsh-development-guide	6 Jul 2007 21:52:39 -0000	1.14
+++ Etc/zsh-development-guide	3 Dec 2007 10:39:38 -0000
@@ -826,3 +826,33 @@
 zsh                   The Zsh Development Group (contact: <coordinator@zsh.org>)
 
 Below the top level, naming authority is delegated.
+
+
+Distribution of files
+---------------------
+
+zsh is distributed in two parts: a "src" distribution containing all
+the source files (roughly, but not exactly, corresponding to the CVS
+tree), and a "doc" distribution containing some pre-built files from
+the documentation directory.  All the files in the "doc" distribution
+may be generated from files in the "src" distribution with appropriate
+freely available tools.
+
+To indicate which files should be distributed, each directory in the CVS
+tree includes a file .distfiles that sets any number of a set of Bourne
+shell (scalar) parameters.  The value of the parameter is expanded as a
+set of standard command line arguments.  Basic globbing is allowed in the
+values.
+
+The following parameters are currently used:
+
+- DISTFILES_SRC is a list of files from the directory for the "src"
+  distribution.
+
+- DISTFILES_DOC is a list of files from the directory for the "doc"
+  distribution.
+
+- DISTFILES_NOT is a list of files that will not be included in a
+  distribution, but that need to be present in the CVS tree.  This
+  variable is not used by the zsh build process and is present for
+  the convenience of external checks.
Index: Util/.distfiles
===================================================================
RCS file: /cvsroot/zsh/zsh/Util/.distfiles,v
retrieving revision 1.3
diff -u -r1.3 .distfiles
--- Util/.distfiles	19 Mar 2004 10:53:04 -0000	1.3
+++ Util/.distfiles	3 Dec 2007 10:39:39 -0000
@@ -1,5 +1,11 @@
 DISTFILES_SRC='
     .distfiles
-    check_exports difflog.pl helpfiles mkdisttree.sh reporter
+    check_exports
+    helpfiles
+    mkdisttree.sh
     preconfig
+    reporter
+'
+DISTFILES_NOT='
+    difflog.pl
 '


-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070