somewhat OT: configure and mterm was Re: Vintage terminals
mouse at Rodents.Montreal.QC.CA
Fri Mar 9 09:24:54 CST 2007
>>>> But these days, [vttest] uses ./configure, which is a security
>>>> nightmare waiting to happen.
>>> Uhh...WTF? Do you do your builds as root or something?
>> No (well, not most of them); why? Do you think running malicious
>> code is fine provided you're not running as root?
> What portion of it is malicious (asking honestly)?
The thing is, configure is an excellent place to hide a malicious
grappling hook: it is frequently run by naïve installers, not
uncommonly as root; by the nature of what it does, it is hard to
sandbox (for example, it *must* be able to compile and run new
programs); it is large and comparatively difficult to read over for
This means that unless I take an hour or two and read through
configure, I'm basically betting the security of my system that the
distribution didn't get trojaned. Even if I *do* take that hour or
two, reading configure is mind-numbing enough that it's easy to miss
something subtle. (I've read through a couple of configure scripts.)
I've thought about how I'd go about trojaning a configure script, and
the answers scare me enough that I have to want something quite a lot
before I'm willing to "just run ./configure".
This is why I called it "a security nightmare waiting to happen".
As interested as I am in how mterm -termtype decansi stacks up against
vttest, I'm not nearly interested enough to be willing to either take
that risk or take that boring couple of hours (still leaving some
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
More information about the cctalk