[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: not hardwiring gpg
From: |
Ralf Wildenhues |
Subject: |
Re: not hardwiring gpg |
Date: |
Tue, 18 Dec 2007 17:26:15 +0100 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
* Jim Meyering wrote on Tue, Dec 18, 2007 at 04:51:33PM CET:
> Ralf Wildenhues <address@hidden> wrote:
> >
> > I don't object, but your change would do good with a small explanation
> > to refute Gary's argument for the commit in Automake that added the full
> > name in the first place, <5176801c82cc0ea98b344260b4accf4cab08a0e3>, see
> > <http://thread.gmane.org/gmane.comp.gnu.libtool.patches/1533/focus=1546>.
>
> If the hypothetical cracker ever gets in to my (or any developer's) system
> with sufficient privilege to modify the contents of directories in my PATH
> (or change my PATH altogether), they can already compromise my development
> work in so many ways that using such absolute names in gnupload
> gives reduced functionality with no added security.
>
> I thought this was common knowledge, along with the "don't hard-code
> file names" dictum, but if you still think it's worth a comment in
> the code, I'll add one.
I know the reasoning and approve of it; my point is that, whenever you
explicitly undo an earlier change, then you note that you do it *on
purpose*, either in the ChangeLog entry or the git commit entry, so that
the next person looking at the history will not have to do guesswork.
This applies pretty much regardless of the obviousness of the actual
change.
So, please commit, and e.g., put the first paragraph of your reply in
the log.
Thanks,
Ralf