On Thu, Apr 17, 2008 at 09:17:19PM +0000, brian m. carlson wrote:
> On Thu, Apr 17, 2008 at 11:05:25PM +0200, Moritz Muehlenhoff wrote:
>> brian m. carlson wrote:
>>> There may be more. I have gone through the code as thoroughly as I
>>> could, but the code is barely legible and uses lots of fixed-sized
>>> buffers. For these reasons, it is my recommendation that acon not be
>>> included in a stable release.
>>
>> Ack, this package should only be included in Lenny after a complete
>> review by a member of the Debian audit team and communication with
>> upstream to make sure such errors won't be re-introduced in later
>> development.
>
> I am subscribed to debian-audit, and we were requested to provide an
> audit, which I did. My recommendation stands. It's very difficult to
> audit the code, which is why I can't be sure I haven't missed something.
Ok, I wasn't aware you'd done a complete audit already.
> The fixed size buffers used in one part of the code are passed around to
> other parts of the code, and it seems that nobody but upstream has
> memorized all the constants. I saw very few uses of sizeof(buf) where
> that would have been appropriate, magic numbers (some buffer sizes)
> sprinkled throughout the code, and heavy use of strcpy and sprintf.
Sounds like it indeed shouldn't be included in Lenny, then.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
