[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Texi2html] merge of texi2html in texinfo
From: |
Patrice Dumas |
Subject: |
Re: [Texi2html] merge of texi2html in texinfo |
Date: |
Mon, 23 Nov 2009 00:55:52 +0100 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
On Sun, Nov 22, 2009 at 11:27:14PM +0000, Karl Berry wrote:
> Because one doesn't know if the perl is the same than the one
> used for configuration,
>
> My hypothesis is that the code is written to work with most any
> non-ancient perl and does not depend on configure-time tests.
In fact, in general the features are tested at runtime, if I recall well,
but there is a big difference between pre 5.6.? where there was no
utf8 support.
> and this could even open security issues.
>
> Shrug. Executing any program at any time is a security issue. If a Bad
> Guy has created an executable perl in the PATH, the system is hopelessly
> compromised anyway.
It really depends on the system. If the system is something executing
automatically texi2any, then having hard-coded paths could really avoid
or render harder some exploits (for example for texi2any invoked in a
cgi script or as part of a build system).
> that it is better to have a repdroducable wrong path than a 'random' one.
>
> Ok, if that's what you want. I don't insist.
I don't feel very strongly either. In fact as a sysadmin, I dislike having
env in shebangs, so I want to have it here so too. But maybe what I would
like as a sysadmin and the shipped defaults should be different.
There are 2 other arguments that are not as strong in my opinion, but
worth considering. 1) unless I am wrong the debian guidelines impose not
using an env shebang, on fedora although this is not a MUST, it is preferred.
2) rpm uses the shebang to find out automatic dependencies on interpreter.
--
Pat