2009/1/22 Matthew Toseland <toad at amphibian.dyndns.org>: > On Tuesday 20 January 2009 01:29, Daniel Cheng wrote: > >>
[... this email is growing too long.. i have removed the parts i agree / not intended to reply..] > > Some unmaintained code which somedude pulled in used scanf badly iirc, > resulting in a serious vulnerability. [overland]$ cd build/fms/src/ [overland]$ grep -ir scanf . [overland]$ I am not sure what version of this is, but it should be quite recent. >> >> Review from start is means quality? >> Let's see the freetalk code: >> >> trunk/freenet/src/freenet/support/TransferThread.java line 57 and line >> (see >> > http://www.google.com/codesearch/p?hl=en#KYLvKSOdAFc/trunk/freenet/src/freenet/support/TransferThread.java&q=mthread.interr >> package:http://freenet\.googlecode\.com&l=57 ) >> >> Setting the interrupt flag for currentThread() and clean it >> immediately -- what's the point? >> I have posted this on the devl@ list for a few times, yet *new* code >> using this pattern are written. >> This make me suspect he never know what interrupt() means. > > This does not introduce a security risk, but talk to p0s about it. I have posted this on devel@ in for three times, replying to the commit message. No action, No email response. New code using the same pattern are committed. Compare this to SomeDude -- I have tell him a html inject vulnerability on the web interface.. He fix that vulnerability and he checked the code for similar patterns and fixed 2 more problems after 1 day. > [...] >> FMS gives HTML too. >> It can be integrated if you really want. >> >> FMS is not non-fixable. You just don't care about it. > > We don't bundle jSite, Thaw or Thingamablog either, even though they are > written in Java. Because they are separate, non-integrated, standalone > applications that we don't have control over and don't have the resources to > review. FMS could conceivably be somewhat less separate in that FMS could > link to the freenet web interface and vice versa, but given that we have > Freetalk, which is integrated properly and has a better architecture, why > bother? Depends on what "architecture" means. If you means the message format -- maybe. If you means the class structure, program flow, etc -- it's not. This can be very subjective -- you may ask nextgen to see if he agree. The code problems I known in FMS is local -- just change one or two line in a function. The code problems I known in FreeTalk/WoT involve refactoring. In this sense, I consider FMS more maintainable.
