On 2013/11/27 11:56, Ted Unangst wrote: > On Wed, Nov 27, 2013 at 16:47, Francisco de Borja Lopez Rio wrote: > > > Ok. Probably I need to understand first what "an unsafe use" of it means, as > > mentioned in Security Recommendations in the porting page: > > > > http://www.openbsd.org/porting.html#Security > > 1. I don't think strcmp belongs in that last. strcmp only reads data. > If that's a problem, then the buffer overflow has already occurred. > > 2. I honestly don't understand what half of those issues are or how > we could possibly fix all the ports to avoid them. I think they're > mostly talking about setuid programs, but some of the bullet points > forget to mention that fact. "Beware the dynamic loader"? Are people > actually auditing every library to make sure it calls issetugid? Maybe > I'm just out of touch with how porting really works. >
There are some useful bits in that page but it is fairly out of date with current porting practises.. Main porting docs are in http://www.openbsd.org/faq/ports/, it would be nice if someone had time to go through the out of date pages like porting.html and move any remaining useful bits to faq/ports/, then we can finally kill off porting.html etc. and replace them with placeholders / meta refresh pages pointing people at the new pages..
