Received: from mx1.mailbun.net (unknown [170.39.20.100]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id A8B7F782D05 for <~alpine/devel@lists.alpinelinux.org>; Wed, 7 Apr 2021 16:32:17 +0000 (UTC) Received: from nanabozho.lan (unknown [107.125.25.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 8F92A144D56; Wed, 7 Apr 2021 16:32:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1617813134; bh=UHFHV+im8tXMBmvMRCvaOhT6tPyKXoGiIa/6qDgnVBA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=cGj42n/UiGhuDvM9lV19XDMCiLAm4v4uite+ltoQwRHepCALOEuMaHylDk3pRWhI1 YgdJtwfxeTkhleasWFh1wNFdbVaOxgNHLYhAGc061uVffqe2lMalr3ymy2i8M5jTpL ltSN8EYWw/oGBoa/dFtbrSciBa2/ZjuOoS0Mw2Ft/zxAlVDhRRPZwskAWHbhhlKl6I rXwtkJhUYlA11PFdoTWqQqf0FUOa60IcV6wZUN1f4hEMVQfHHOmND7kA5Y1nnS8nES UGuv9Tan3JA3laaCEpucri25qsacs6O0wCalYWNEW+ZgWXbwccrMj1k5zJAvd7EBWd 3KwuVg4Ug69eQ== Date: Wed, 7 Apr 2021 10:32:15 -0600 (MDT) From: Ariadne Conill To: Wolf cc: Ariadne Conill , ~alpine/devel@lists.alpinelinux.org Subject: Re: [3.15] System change proposal: Use netbsd-curses instead of GNU ncurses In-Reply-To: <20210407114719.qcup2wefxby523ez@wolfsden.cz> Message-ID: <222542a7-4875-9620-21aa-e7f169a548f@dereferenced.org> References: <20210407114719.qcup2wefxby523ez@wolfsden.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Hello, On Wed, 7 Apr 2021, Wolf wrote: > Hello, > > On 2021-04-06 12:17:33 -0600, Ariadne Conill wrote: >> * Both libraries implement the POSIX curses API. >> >> This means, 99% of applications won't need patching and should be basically >> compatible. > > (Incomplete) list of differences at [0] seems to contain only > hard-to-debug, easy-to-miss type of things. > >> new_item > > This will just introduce memory bloat since every string in items will > now be present twice. I don't think the impact of this is that heavy, and having multiple copies of a string is preferable from a security PoV, as it means there's not multiple places where a single string can be corrupted with a write. >> post_menu > > Will just not work (and return error no one will likely check) instead > of truncating (which might be fine for most software). This should probably be fine. >> getnstr > > Not sure what the implications here are, but sounds like buffer > overflow. > > All these things by themselves are fairly reasonable, however if > software assumes ncurses behaviour, I'm afraid they will be hard to > notice since none of them should lead to hard crash, but instead just to > worse/suboptimal behavior. > > Is there a plan to go over whole aports to make sure none of the > programs uses these functions the wrong way for openbsd-curses? What > about new packages? I'm not sure it is possible to have some kind of > linter for this. It is not possible to have a linter, but as previously noted, other distributions have adopted this curses implementation and have largely not had problems. Ariadne