Hi Alejandro, Alejandro Colomar <alx.manpa...@gmail.com> ezt írta (időpont: 2023. márc. 5., V, 20:44): > > Package: passwd > Source: shadow > Tags: patch > X-Debbugs-CC: Bálint Réczey <bal...@balintreczey.hu> > X-Debbugs-CC: Iker Pedrosa <ipedr...@redhat.com> > X-Debbugs-CC: Serge Hallyn <se...@hallyn.com> > > These dependencies were added upstream recently. > > Signed-off-by: Alejandro Colomar <a...@kernel.org> > Cc: Iker Pedrosa <ipedr...@redhat.com> > Cc: Serge Hallyn <se...@hallyn.com> > --- > debian/control | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/debian/control b/debian/control > index 3cc66f8d..75015c35 100644 > --- a/debian/control > +++ b/debian/control > @@ -11,11 +11,13 @@ Build-Depends: bison, > gettext, > itstool, > libaudit-dev [linux-any], > + libbsd-dev,
I checked out recent changes in shadow's master and I'm very happy about many of the fixes for memory allocation problems, but wearing my maintainer hat I believe linking to a new library for a few functions which are not very different from their glibc counterpart is not worth it. There are reasons for strlcpy() not being provided by glibc [1]: "Reactions among core glibc contributors on the topic of including strlcpy() and strlcat() have been varied over the years. Christoph Hellwig's early patch was rejected in the then-primary maintainer's inimitable style (1 and 2). But reactions from other glibc developers have been more nuanced, indicating, for example, some willingness to accept the functions. Perhaps most insightfully, Paul Eggert notes that even when these functions are provided (as an add-on packaged with the application), projects such as OpenSSH, where security is of paramount concern, still manage to either misuse the functions (silently truncating data) or use them unnecessarily (i.e., the traditional strcpy() and strcat() could equally have been used without harm); such a state of affairs does not constitute a strong argument for including the functions in glibc. " I agree with their position and the 6 cases where strlcpy() is used in shadow's current master could be implemented with strncpy() as safely as with strlcpy(). Freezero() also provides little extra benefit over memset() and free() and is used only 4 times in the code. Could you please return to using functions provided by glibc instead of pulling in libbsd in the next upstream release? That way there would be no need for pkg-config or pkgconf either. Cheers, Balint [1] https://lwn.net/Articles/507319/ _______________________________________________ Pkg-shadow-devel mailing list Pkg-shadow-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel