Author: Irrwahn Date: To: Florian Zieboll, dng Subject: Re: [DNG] Request for Removal of slim package from Devuan
On Wed, 25 May 2016 12:08:12 +0200, Florian Zieboll wrote: > On Tue, 24 May 2016 23:07:33 +0200
> Irrwahn <irrwahn@???> wrote:
>
>> In my humble opinion a quality distribution like Devuan
>> should not show a potential weakness at such a crucial
>> spot by shipping a package in questionable condition.
>
>
> Hallo Irrwahn,
>
> in an earlier mail you wrote regarding slim:
>
> | Subject: Re: [DNG] How to change default session
> | Date: Mon, 23 May 2016 23:14:11 +0200
> |
> | (...) plus there were some other more severe problems with it (if
> | my memory serves me right
>
> Can you elaborate on this?
One specific thing I recall is slim leaking memory on each
login cycle. That might not sound dramatic per se (given the
amount of RAM present in even tiny machines today), but in
my experience is usually the symptom of an underlying more
severe problem or design flaw. And, it can very well be used
as an attack vector.
> I remember strange behavior on my PC (random
> swallowing of approx. 30-50% of the characters typed on tty1 => login
> ~impossible on tty1) a few years ago, definitely related to slim. IIRC,
> at that time probably somewhat paranoid me didn't troubleshoot (besides
> the usual websearch magic) this any further but quietly switched over to
> lightdm to avoid going even more crazy ;)
>
> This is not meant to be about retroactively solving a no longer
> reproducible bug, just my two trade beads worth of objective experience
> with slim, plus some curiosity.
Just out of curiosity, I downloaded the slim source package
and built the poor thing. Now I wish I had not, because
compiler diagnostics like that:
/tmp/slim-1.3.6/app.cpp:478:26: warning: ‘pw’ may be used uninitialized in this function [-Wmaybe-uninitialized]
correct = pw->pw_passwd;
are not exactly what I call confidence-inspiring. And
definitely not something I want to see while building a login
manager!
Sure, it *could* be just the usual gcc noise, but to tell,
one would have to dig in the code and confirm. And than
*bloody* *fix* it, for Ritchie's sake, and be it only to
silence a gratuitous warning to make life easier for the next
person to build the thing!
Sorry for getting all worked up, but things like that really
irritate me. What trust shall I put in an author who doesn't
even seem to care, when the compiler already has him by the
balls?