On Thursday 22 January 2009 04:49, Daniel Cheng wrote: > 2009/1/22 Matthew Toseland <toad at amphibian.dyndns.org>: > > On Tuesday 20 January 2009 01:29, Daniel Cheng wrote: > > > >> > > [... this email is growing too long.. i have removed the parts i agree > / not intended to reply..] > > > > > Some unmaintained code which somedude pulled in used scanf badly iirc, > > resulting in a serious vulnerability. > > [overland]$ cd build/fms/src/ > [overland]$ grep -ir scanf . > [overland]$ > > I am not sure what version of this is, but it should be quite recent.
Yeah, I heard that library was removed in 0.3. > > >> Review from start is means quality? > >> Let's see the freetalk code: > >> > >> trunk/freenet/src/freenet/support/TransferThread.java line 57 and line > >> (see > > http://www.google.com/codesearch/p?hl=en#KYLvKSOdAFc/trunk/freenet/src/freenet/support/TransferThread.java&q=mthread.interr > >> package:http://freenet\.googlecode\.com&l=57 ) > >> > >> Setting the interrupt flag for currentThread() and clean it > >> immediately -- what's the point? > >> I have posted this on the devl@ list for a few times, yet *new* code > >> using this pattern are written. > >> This make me suspect he never know what interrupt() means. > > > > This does not introduce a security risk, but talk to p0s about it. > > I have posted this on devel@ in for three times, replying to the commit > message. No action, No email response. New code using the same > pattern are committed. Then post to wot@ instead. > > Compare this to SomeDude -- > I have tell him a html inject vulnerability on the web interface.. > He fix that vulnerability and he checked the code for similar > patterns and fixed 2 more problems after 1 day. I suspect that p0s would fix a vulnerability fairly quickly too, but I haven't tested this theory yet. > > > [...] > > >> FMS gives HTML too. > >> It can be integrated if you really want. > >> > >> FMS is not non-fixable. You just don't care about it. > > > > We don't bundle jSite, Thaw or Thingamablog either, even though they are > > written in Java. Because they are separate, non-integrated, standalone > > applications that we don't have control over and don't have the resources to > > review. FMS could conceivably be somewhat less separate in that FMS could > > link to the freenet web interface and vice versa, but given that we have > > Freetalk, which is integrated properly and has a better architecture, why > > bother? > > Depends on what "architecture" means. > If you means the message format -- maybe. > If you means the class structure, program flow, etc -- it's not. I mean the fact that it's a plugin, and separates the WoT logic into another plugin, and can be accessed via FCP as well as via its UI. > > This can be very subjective -- you may ask nextgen to see if he agree. > > The code problems I known in FMS is local -- just change one or two > line in a function. > The code problems I known in FreeTalk/WoT involve refactoring. The example you gave, abuse of the interrupt flag, doesn't involve refactoring. > In this sense, I consider FMS more maintainable. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20090122/14de90fc/attachment.pgp>
