Received: from mx1.mailbun.net (unknown [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id A8B7F782D05
	for <~alpine/devel@lists.alpinelinux.org>; Wed,  7 Apr 2021 16:32:17 +0000 (UTC)
Received: from nanabozho.lan (unknown [107.125.25.71])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 8F92A144D56;
	Wed,  7 Apr 2021 16:32:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1617813134;
	bh=UHFHV+im8tXMBmvMRCvaOhT6tPyKXoGiIa/6qDgnVBA=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=cGj42n/UiGhuDvM9lV19XDMCiLAm4v4uite+ltoQwRHepCALOEuMaHylDk3pRWhI1
	 YgdJtwfxeTkhleasWFh1wNFdbVaOxgNHLYhAGc061uVffqe2lMalr3ymy2i8M5jTpL
	 ltSN8EYWw/oGBoa/dFtbrSciBa2/ZjuOoS0Mw2Ft/zxAlVDhRRPZwskAWHbhhlKl6I
	 rXwtkJhUYlA11PFdoTWqQqf0FUOa60IcV6wZUN1f4hEMVQfHHOmND7kA5Y1nnS8nES
	 UGuv9Tan3JA3laaCEpucri25qsacs6O0wCalYWNEW+ZgWXbwccrMj1k5zJAvd7EBWd
	 3KwuVg4Ug69eQ==
Date: Wed, 7 Apr 2021 10:32:15 -0600 (MDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Wolf <wolf@wolfsden.cz>
cc: Ariadne Conill <ariadne@dereferenced.org>, 
    ~alpine/devel@lists.alpinelinux.org
Subject: Re: [3.15] System change proposal: Use netbsd-curses instead of GNU
 ncurses
In-Reply-To: <20210407114719.qcup2wefxby523ez@wolfsden.cz>
Message-ID: <222542a7-4875-9620-21aa-e7f169a548f@dereferenced.org>
References: <e12847f2-4cea-c3e8-84c3-e98b92553f8e@dereferenced.org> <20210407114719.qcup2wefxby523ez@wolfsden.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hello,

On Wed, 7 Apr 2021, Wolf wrote:

> Hello,
>
> On 2021-04-06 12:17:33 -0600, Ariadne Conill wrote:
>> * Both libraries implement the POSIX curses API.
>>
>> This means, 99% of applications won't need patching and should be basically
>> compatible.
>
> (Incomplete) list of differences at [0] seems to contain only
> hard-to-debug, easy-to-miss type of things.
>
>> new_item
>
> This will just introduce memory bloat since every string in items will
> now be present twice.

I don't think the impact of this is that heavy, and having multiple copies 
of a string is preferable from a security PoV, as it means there's not 
multiple places where a single string can be corrupted with a write.

>> post_menu
>
> Will just not work (and return error no one will likely check) instead
> of truncating (which might be fine for most software).

This should probably be fine.

>> getnstr
>
> Not sure what the implications here are, but sounds like buffer
> overflow.
>
> All these things by themselves are fairly reasonable, however if
> software assumes ncurses behaviour, I'm afraid they will be hard to
> notice since none of them should lead to hard crash, but instead just to
> worse/suboptimal behavior.
>
> Is there a plan to go over whole aports to make sure none of the
> programs uses these functions the wrong way for openbsd-curses? What
> about new packages? I'm not sure it is possible to have some kind of
> linter for this.

It is not possible to have a linter, but as previously noted, other 
distributions have adopted this curses implementation and have largely not 
had problems.

Ariadne