>>>>> "Alexandre" == Alexandre Oliva <[EMAIL PROTECTED]> writes:
Alexandre> Yep, that's a very important concern. We don't want people
Alexandre> to start spreading word that autoconf introduces security
Alexandre> holes in your software.
Definitely. And actually working on Autoconf had become a bit
annoying, we really needed new challenges :)
Alexandre> configure some package that tests for long filenames.
He he he, will try that :)
Alexandre> Moreover, there's another problem: any user may simply
Alexandre> touch /tmp/conftest9012345 and cause autoconf to think long
Alexandre> filenames are not supported, unless the user sets TMPDIR to
Alexandre> something other than /tmp. No good.
If someone does this, it *must* be Larry Wall to demonstrate the
superiority of Metaconfig over Autoconf. Or some MS fanatic who wants
to bring his flaws into Unix :)
>> What would you suggest?
Alexandre> At the very least, we should make it harder for one to
Alexandre> guess the name of the files we use for the test, by using
Alexandre> the PID instead of a fixed filename.
BTW, I've long been looking for a portable to shorten the $$, such as
using a-z too. Someone knows how do that?
Alexandre> A better solution would be to create a unique subdirectory
Alexandre> in /tmp in which we create the files to perform this test.
But I seem to recall we once talked about this (creating a private tmp
dir to work in) about texi2dvi, and you told me it was dangerous
practice? I may recall badly. I'm all for testing in /tmp, it should
speed up in most case, and dramatically simplify the various rm and
traps in Autoconf.
In texi2dvi, we do this:
tmpdir=${TMPDIR:-/tmp}/t2d$$ # avoid collisions on 8.3 filesystems.
# Create the temporary directory with strict rights
(umask 077 && mkdir $tmpdir) || exit 1
How robust is this?
Alexandre> We should not accept a pre-existing directory, i.e., we
Alexandre> must attempt to create directories with different names
Alexandre> until mkdir succeeds.
Gosh, I love this tortured way to do simple things. Just give them a
couple a weeks, and the Debian guys will come up requiring that we use
mktemp :)
Akim
