On Sat, Jun 17, 2006 at 06:00:27AM +0200, Tobias Ulmer wrote: <snip>
> While i like this tool well, the attitude of the main developer > regarding security issues is very disturbing. (The bugtracker of the > project and securityfocus are a good read on that) > > My question is, should we bother and fix these issues? I have some but > by far not all patches ready. The sad part of it is that most won't > make it back into cscope... > > IMHO, cscope could as well be 'cvs rm -f'ed I would hope people aren't running it only as root on multi-user systems. I don't really view cscope as high risk software. I know of at least two OpenBSD developers who use cscope regularly, so it'd certainly be better to keep it around. We typically don't like to maintain large patchsets in the ports tree. Maybe just fix the temp file problem and some of the other big issues so you can sleep better at night? Or work with the cscope guys and tell them how to roll their own snprintf function for DOS. Or if you're really dedicated, finish your patchset and fork cscope ;)
