Re: [Gnu-arch-users] Re: Default version for star-merge (and more)

gnu-arch-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] Re: Default version for star-merge (and more)

From:	Aaron Bentley
Subject:	Re: [Gnu-arch-users] Re: Default version for star-merge (and more)
Date:	Tue, 13 Jul 2004 17:54:28 -0400
User-agent:	Mozilla Thunderbird 0.5 (X11/20040309)

Tom Lord wrote:

    > From: Aaron Bentley <address@hidden>
> I suppose a way around the security issue is to *always* have an> +aliases, and require the user to do something to copy aliases from> =aliases to +aliases.
Better: just be sure that no name (command argument) is interpreted as
an alias unless the user uses a very distinctive syntax (e.g., :parent
rather than parent).

Oh, I was talking about the security implications of somone replacing anexisting alias. Say a there was an in-tree alias devo =address@hidden/tla--devo--1.3, and I tricked someone into replacingit with devo = address@hidden/tla--haxored--1.3 byincluding that change with a bunch of bugfixes.

I've been using prefixless aliases for a while now, and I think as longas valid revision/version names are never expanded, they're pretty safe.

Unfortunately, some commands like "get" can take a category, andcategories look a lot like aliases.


Aaron

--
Aaron Bentley
Director of Technology
Panometrics, Inc.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Gnu-arch-users] Re: Default version for star-merge (and more), (continued)

Prev by Date: Re: [Gnu-arch-users] Re: Default version for star-merge (and more)
Next by Date: Re: [Gnu-arch-users] Re: Default version for star-merge (and more)
Previous by thread: Re: [Gnu-arch-users] Re: Default version for star-merge (and more)
Next by thread: Re: [Gnu-arch-users] Re: Default version for star-merge (and more)
Index(es):
- Date
- Thread