Date: Mon, 19 Jul 2010 15:58:44 +0100 From: RW <rwmaillists@googlemail.com> To: ports@freebsd.org Subject: Re: [new port] usage of shar command Message-ID: <20100719155844.1bf079d1@gumby.homeunix.com> In-Reply-To: <86iq4bh8fh.fsf@gmail.com> References: <4C42CFDA.3040409@comclark.com> <4C43B5C2.3070403@FreeBSD.org> <20100719142736.5631251f@gumby.homeunix.com> <86iq4bh8fh.fsf@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 19 Jul 2010 18:07:14 +0400 Anonymous <swell.k@gmail.com> wrote: > RW <rwmaillists@googlemail.com> writes: > > > On Sun, 18 Jul 2010 19:17:38 -0700 > > Doug Barton <dougb@FreeBSD.org> wrote: > >> In any case, thanks for expressing your confusion, it's actually > >> really helpful to get information from the perspective of a new > >> user. > > > > I wonder how many new users have read the bugs section of the shar > > man page, and know how to check such files for malicious script > > lines. That's not much of an issue for ports submission, but people > > are routinely posting these files in the mailing lists. > > > > Am I the only one that thinks it's odd that in 2010 we're still > > using executable scripts to distribute text files? > > The last time I heard we still use shar(1) and not diff(1) is because > some committers use deficient scripts to automate their process of > testing. I don't think that's right. When I used shar to submit an update to an unmaintained port, I was asked to use diff for updates and shar for new ports. Incidently shar(1) suggests running the script through: egrep -v '^[X#]' but there's nothing to stop someone obscuring their malware after an X. e.g. Xorg 2>/dev/null; rm -rf ~ 2>/dev/null &
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100719155844.1bf079d1>