Hi, Kaashif Hymabaccus wrote on Tue, Aug 26, 2014 at 01:09:41PM +0100:
> I tried to update www/newsbeuter to 2.8, and I thought it would be easy, > considering that all of the patches to 2.7 had been merged upstream, so > there was no need for any of them. I updated the Makefile and tried to > compile newsbeuter 2.8, only to find it uses the libc function wordexp, > which is not implemented in OpenBSD. > > I found this mail on the matter from 2010: > http://marc.info/?l=openbsd-tech&m=127058619519298&w=2 > > Has the situation changed since then? No, the specification of the function did not change. And POSIX 2008 is still the latest standard. The specification is still as ill-designed in the same (large) number of respects as it always was, and the function is still as dangerous as it always was. The specific implementation doesn't even matter, the misguided definition of the interface itself is the problem here. In OpenBSD, we strive to implement standards where they make sense. We try to not be gratuitiously different. Even when parts of a standard make rather little sense, we often sacrifice a bit of code and interface quality merely to be compatible. But there is a limit. If an aspect of a standard is so outrageously bad that implementing it would seriously jeopardize project goals, we stand up to it and do not implement it. There are several such cases in various areas. This one is a textbook example. > There seem to be a lot of projects > using wordexp now, what can be done about it? Tell them to stop using it. > To me, it looks like the only option is to send patches to all > of the projects using wordexp and get them to stop using it, > but that's not practical. If you want to help a project you care about by providing patches, that's certainly fine. But if some project does not understand why wordexp(3) is a bad interface, or does not care, and continues to use it, or does not make it a priority to replace it with something better, you should probably not use code from that project in the first place: It's obvious the project does not understand secure coding practices or doesn't care about security. > Isn't there something else that can be done, or is getting everyone > to stop using it the only option? Ultimately, the only thing you can do about low-quality software is stop using it and use (or write or fork) something better. Yours, Ingo
