On Mon, 19 Jul 2010 18:07:14 +0400 Anonymous <swel...@gmail.com> wrote:
> RW <rwmailli...@googlemail.com> writes: > > > On Sun, 18 Jul 2010 19:17:38 -0700 > > Doug Barton <do...@freebsd.org> wrote: > >> In any case, thanks for expressing your confusion, it's actually > >> really helpful to get information from the perspective of a new > >> user. > > > > I wonder how many new users have read the bugs section of the shar > > man page, and know how to check such files for malicious script > > lines. That's not much of an issue for ports submission, but people > > are routinely posting these files in the mailing lists. > > > > Am I the only one that thinks it's odd that in 2010 we're still > > using executable scripts to distribute text files? > > The last time I heard we still use shar(1) and not diff(1) is because > some committers use deficient scripts to automate their process of > testing. I don't think that's right. When I used shar to submit an update to an unmaintained port, I was asked to use diff for updates and shar for new ports. Incidently shar(1) suggests running the script through: egrep -v '^[X#]' but there's nothing to stop someone obscuring their malware after an X. e.g. Xorg 2>/dev/null; rm -rf ~ 2>/dev/null & _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"