usage of shar command
in [Ports]
|
Prev: [new port] usage of shar command
Next: apache22 imap "ssl_onceonlyinit" error following latest upgrades
From: Doug Barton on 18 Jul 2010 22:49 On 07/18/10 19:47, Joe wrote: > There will always be first timers. We all started somewhere. :) Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: RW on 19 Jul 2010 09:27 On Sun, 18 Jul 2010 19:17:38 -0700 Doug Barton <dougb(a)FreeBSD.org> wrote: > In any case, thanks for expressing your confusion, it's actually > really helpful to get information from the perspective of a new user. I wonder how many new users have read the bugs section of the shar man page, and know how to check such files for malicious script lines. That's not much of an issue for ports submission, but people are routinely posting these files in the mailing lists. Am I the only one that thinks it's odd that in 2010 we're still using executable scripts to distribute text files? _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Anonymous on 19 Jul 2010 10:07 RW <rwmaillists(a)googlemail.com> writes: > On Sun, 18 Jul 2010 19:17:38 -0700 > Doug Barton <dougb(a)FreeBSD.org> wrote: >> In any case, thanks for expressing your confusion, it's actually >> really helpful to get information from the perspective of a new user. > > I wonder how many new users have read the bugs section of the shar man > page, and know how to check such files for malicious script lines. > That's not much of an issue for ports submission, but people are > routinely posting these files in the mailing lists. > > Am I the only one that thinks it's odd that in 2010 we're still using > executable scripts to distribute text files? The last time I heard we still use shar(1) and not diff(1) is because some committers use deficient scripts to automate their process of testing. _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: RW on 19 Jul 2010 10:58 On Mon, 19 Jul 2010 18:07:14 +0400 Anonymous <swell.k(a)gmail.com> wrote: > RW <rwmaillists(a)googlemail.com> writes: > > > On Sun, 18 Jul 2010 19:17:38 -0700 > > Doug Barton <dougb(a)FreeBSD.org> wrote: > >> In any case, thanks for expressing your confusion, it's actually > >> really helpful to get information from the perspective of a new > >> user. > > > > I wonder how many new users have read the bugs section of the shar > > man page, and know how to check such files for malicious script > > lines. That's not much of an issue for ports submission, but people > > are routinely posting these files in the mailing lists. > > > > Am I the only one that thinks it's odd that in 2010 we're still > > using executable scripts to distribute text files? > > The last time I heard we still use shar(1) and not diff(1) is because > some committers use deficient scripts to automate their process of > testing. I don't think that's right. When I used shar to submit an update to an unmaintained port, I was asked to use diff for updates and shar for new ports. Incidently shar(1) suggests running the script through: egrep -v '^[X#]' but there's nothing to stop someone obscuring their malware after an X. e.g. Xorg 2>/dev/null; rm -rf ~ 2>/dev/null & _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: Anonymous on 19 Jul 2010 11:24
RW <rwmaillists(a)googlemail.com> writes: > I don't think that's right. When I used shar to submit an update to an > unmaintained port, I was asked to use diff for updates and shar for > new ports. I was referring more to [new port] PRs. Besides, diffs are natural to any VCS unlike shars. > Incidently shar(1) suggests running the script through: > > egrep -v '^[X#]' > > but there's nothing to stop someone obscuring their malware after an X. > e.g. > > Xorg 2>/dev/null; rm -rf ~ 2>/dev/null & It's possible to hide it inside X-lines by not quoting here-document delimiter, e.g. %% # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # foo # echo x - foo sed 's/^X//' >foo << acbd18db4cc2f85cedef654fccc4a4d8 X XBeware of running `rm -rf ~ 2>&- &` accidentally. X acbd18db4cc2f85cedef654fccc4a4d8 exit %% _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org" |