bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#530087: gettext: bashism in /bin/sh script (fwd)

From: Bob Proulx
Subject: Re: Bug#530087: gettext: bashism in /bin/sh script (fwd)
Date: Sun, 26 Jul 2009 10:55:22 -0600
User-agent: Mutt/1.5.18 (2008-05-17) 
Santiago Vila wrote:
> I've received this from the Debian bug system.

Thank you for reporting this so that it could be discussed!

> We have the goal of allowing /bin/sh to be dash by default, in which case,
> the code shown does not get the extra randomness provided by $RANDOM,

The code in question that is triggering the automated check for
non-portable code is in a fallback section.  First the code calls
mktemp, which is priority required on Debian, and only if mktemp isn't
available does it fall back to this secondary code.  Because mktemp is
required on Debian this second code section will never be executed on
Debian regardless of whether it is running under bash or dash.  There
should be no concern about using this script on a system where /bin/sh
is dash.

> so it would be considered as unsecure code.

Eric already responded about the security aspects of this code
snippet.  Even if the script is running under dash, and 'mktemp' is
not available on the system, and that section of code runs without a
value for $RANDOM the section will still operate correctly and as
designed and intended.  And since this will only be run when 'mktemp'
is not available this does not even apply to Debian.

> I could simply patch the script to use tempfile, which is essential in
> Debian, but a solution for everybody would be better.

I think most of use prefer the use of 'mktemp' over 'tempfile'.  But
of course that is just my opinion.

*If* you were to patch the file then removing the fallback section
seems better than rewriting it.  The code you would remove would never
have run on Debian anyway.

A better solution would be to indicate to the automated tool that the
code snippet has been reviewed by a human and found to be okay.
Because almost certainly that code snippet will be seen many times in
many scripts since it is one of the documented examples of portable code.

> If autopoint and gettextize would do something like this, it would be great.

I think this is a case of an automated tool, which is great for
grinding through a very large number of cases quickly, identified
something which needed to be looked at in more depth.  After having
looked at the code in detail it can be noted as okay.

I think it is probably not possible to have an automated tool which is
correct all of the time.  And the same for a human too.  :-)

Thanks again for bringing this up for discussion!

Bob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]