On Sat, Apr 23, 2016 at 08:40:55PM +0200, David Dahlberg wrote: > > Attached is a patch that has a first pledge after setlocale, and a > second call the command line parsing, which removes write access.
for me, the first pledge call is superflous: it didn't really add gain to the program. pledging ports should be keep simple diffs: it will be more simple later for merging with port updates (because all the checks should be redone in case of feature additions or changes...) > I bid somebody with better C skills in using debuggers and reading > symbols than me to check, whether this should be sufficient. Steve, > didn't you volunteer? ;-) I already pointed system(3) call in html.c (requiring "proc exec"). $ tree -R -L 2 -H . Abort trap (core dumped) the system(3) call occurs with the combinaison of these 3 options. It is why dynamic approch is really hard to be exhaustive. Please don't send patches if you aren't confident in your pledge promises: devs will not have time to check and review all the code to be sure that promises you pledge are good. Considers also that once bad promises are commited, the port could become unusable for others users, and the problem could be more important if it isn't catched in -current and bad promises goes to -stable (more work for devs). And users of the port will be angry about pledge(2) and you. -- Sebastien Marie
