shars and security concerns.

Thu May 3 02:03:46 AEST 1990

In article <1203 at chinacat.Unicom.COM> chip at chinacat.Unicom.COM (Chip Rosenthal) writes:
>In article <518 at cpsolv.CPS.COM> rhg at cpsolv.uucp (Richard H. Gumpertz) writes:
>> [ in response to my flame that smart shar's are evil and rude ]
>
>While my original message was certainly a flame, this isn't.  I do have

I said I wasn't gonna say anything else on this topic.  But, alas, ...

>By far the *worst* of the smart shar archives are those which try to be
>cute and split files across multi-part archives so that they are all the
>same length.  This is just anal to the max. 

Anal?  Anal?  Most of the anal types I know would have it squirting out
all over if they thought one of their files had been split up by a
program.  It is merely a side effect that the shar sizes are similar;
the purpose is to limit the size to accommodate mail systems or other
transport mechanisms.  Somebody in the history of this evil neo-pseudo-shar
thought it a disk-consuming limitation that you had to have disk
temporarily available for the entire shar set, the file parts it unwraps
AND the target reconstructed files.  I agree with him.

>>You provide awk and sed but refuse to provide fgrep?  How is the latter any
>>more dangerous?
>
>It isn't any more dangerous.  The question is do I have to provide an
>entire filesystem of bin utilities just in order to let a lousy shar
>package unbundle itself?

Why not?  I do.  As a matter of fact, the programs in /bin have been
tested to the satisfaction of most.  The shell scripts unwrapped by the
shar are _probably_ going to have access to /bin ;->.

>Look, the purpose of a shar archive is really simple - to provide a bunch
>of files in a self-extracting format.  Most of the whizzy features people
>throw into their shar archive do nothing to enhance this base purpose.
>They are just crap...err...unrequired features.

To you, then, perhaps a shell should check a program name against
an approved list of programs and execute it, passing arguments as is.
Other features are unnecessary.

>Now, this isn't an absolute.  The shar's I make aren't just "cat<<'EOF'".
>I do use sed, wc, and test (and mkdir if required).  But that's it.  I also
>justified to myself the added complexity of each "improvement".  I wish
>more folks would.  Keep it simple.  Please?!!??

Oh, ok, you do recognize the need for ...err... features.  Please allow
others to justify to themselves the need for "additional complexity".
All of the features I've seen in any shar producer are really quite simple.

>Not rhetorical: would shar format be an appropriate topic for an RFC?

Now, _that_ is anal.

If you are worried by the commands I use to deliver source to you, you
will probably be terrified of the fact that system calls are in that
source.  My advice is to let us keep our shars and if your amniotic
membrane won't let the source inside, just rm and forget it. You don't
need the trauma.  Jeez, at least shell and editor wars had some religious
validity. But shar wars?

------------------------------------------------------------------
Warren Tucker, TuckerWare gatech!n4hgf!wht or wht%n4hgf at gatech.edu
McCarthyism did to cinema what ANSI did to C,  cast a great number
of characters into the void.