On 2013/08/28 11:32, Craig R. Skinner wrote: > On 2013-08-28 Wed 08:44 AM |, Stuart Henderson wrote: > > > > - don't distribute source files in ports > > - your local rcs history is pointless to include in the port > > I done this because I thought it was OK to include small files:
Not really, ports-internal things like sqlports are OK to put there but that's pretty much it. There were one or two others in the past but I think they've been moved to proper distfiles now. > I also want to give the code away and make it easy for others to improve. github etc.? > > - this is, err, not normal: > > > > @echo '@mode ${SHAREMODE}\n@group ${SHAREGRP}' >> ${PLIST} > > @echo 'share/doc/pkg-readmes/${FULLPKGNAME}' | tee -a ${PLIST} > > @${SUBST_CMD} -c -g ${BINGRP} -o ${BINOWN} \ > > ${FILESDIR}/${INST_DIR}/${DISTNAME} \ > > ${PREFIX}/${INST_DIR}/${DISTNAME} > > @echo '@mode ${BINMODE}\n@owner ${BINOWN}\n@group ${BINGRP}' | tee > > -a ${PLIST} > > @echo "${INST_DIR}/${DISTNAME}" | tee -a ${PLIST} > > > > PLIST generation. "make plist" and tweak the results as needed like other ports do. a port shouldn't be touching files in the ports tree itself during build, and in this case it won't even work (you keep appending to the file each time it's run). > > - script itself has security issues > > > > Thanks for the feedback Stuart. > > Pointers about security appreciated. > >From a quick look at the script (I'm only using spamd as a classic tarpit on a low priority MX rather than anything else so I'm not interesting in using it myself..) there are various uses of fixed/predictable names for tempfiles in shared directories, which is unsafe. It's a well known problem so there's plenty of advice e.g. https://www.securecoding.cert.org/confluence/display/seccode/FIO43-C.+Do+not+create+temporary+files+in+shared+directories (note, predictable names includes using $$, use mktemp with a decent number of X's, say 10+, instead) ... retrieved=$(print ${url} | sed 's/[`¬¦!"$%^&*()+=:;@~#\|?/<>,]/_/g') Keep known-good characters, rather than try and strip out bad characters. A hash of the URL might be more appropriate.