Matthieu Herrb <[email protected]> wrote: > Generally, I'm not too found of pledging/unveiling random X client > programs. There are a lot of "hidden" features in X libraries that > will probably break with too strict pledges and/or unveils.
Well eventually we want to see if something can be done about xterm. Especially if the lessons learned (I suspect some hoisting will occur) can be pushed back upstream, and maybe allow others to apply their own system call limiter mechanism. Perhaps not possible... > Also since this is OpenBSD-specific, it will be difficult to get it > upstreams, especially if you don't provide the autoconf goo to make > the code still build/work on Linux. And when not upstreaming it > creates more burden to merge new versions of the applications. Well, I doubt it will create too much burden, generally these unveil or pledge chunks are a small set of + lines, without changing other logic. Anyways, bdftopcf is not running near a security boundary.
