Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 26 Jan 2015 07:49:06 +0300
From: "(GalaxyMaster)" <galaxy@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: libnet

Solar,

On Mon, Jan 12, 2015 at 02:38:41AM +0300, Solar Designer wrote:
> What was the reason you chose to update our libnet from the latest
> official 1.1.3 (after which the project was abandoned upstream) to the
> unofficial or new maintainers' 1.2rc3?

It is from the new maintainer (Sam Roberts <vieuxtech@...il.com>) at
https://github.com/sam-github/libnet .  The reason I updated libnet was
the incompatibility with the new toolchain.  My options were as follows:

1. try to fix the old package with new toolchain;

2. update to 1.1.6, which is used by FC/RHEL but was released in 2012;

3. update to 1.2rc3, which is the current candidate for 1.2.

Option 1 required a lot of effort in comparison to other two. The
difference between 1.1.6 and 1.2rc3 was mostly cosmetic plus some memory
leaks fixes (I was skipping most of Win32 commits since it looked that
there was an effort to bring libnet up to date with building
environment on Win32 and OS X and there were many commits to address
these platforms).  Since an update from 1.1.3 to either 1.1.6 or 1.2rc3
was bringing approximately the same amount of changes I decided to go
for 1.2rc3 since it was a bit cleaner.

Moreover, libnet is required by a single package in Owl, which is
libnids.  libnids is also required by a single package - your scanlogd.
So, my logic was that given that the primary effort of the new
maintainer was to clean the code up (they did some Coverity tests
between 1.1.5 and 1.1.6), that the 1.1.6 version has been there for a
while in other distros with no patches, that the 1.2rc3 version is not
that different from 1.1.6, and that we have just one package actually
depending on libnet - I decided to go for 1.2rc3.

> I am concerned that we're getting non-reviewed code in.

I admit that I didn't closely review the code (I just went over the
commits from version 1.1.3 till 1.2rc3 and dove in on commits that were
catching my eye), however, I'm not sure that the effort of fully
reviewing this library is properly justified given that libnet is only
used by scanlogd via libnids.

-- 
(GM)

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ