Re: Software platform for mc development.

From: Pavel Roskin <proski gnu org>
To: christian laubscher <christian laubscher tiscalinet ch>
Cc: mc gnome org
Subject: Re: Software platform for mc development.
Date: Tue, 5 Nov 2002 18:27:46 -0500 (EST)

Hi, Christian!

(Sorry, maybe I shouldn't capitalize your name.  Strange, I thought even
impersonal nouns are capitalized in German.  I'm confused.)

not meaning to overly annoy you, but:


I'm not annoyed by direct discussion without hidden information here and
there.

[...], I'd certainly consider moving to whatever the development
team is using.

I don't see any logic here.


there might be some merits to the way carl thinks, though:


I agree that there might be some merits.  Especially if he stated if he is
going to help with development or he just wants to get the most stable mc.

(I think my suggestion would be Debian unstable for development and
Mandrake 9.0 for stability.)

not too long ago, you mentioned something like taking out the shadow
password support out of mcserv. 'my' distribution is slackware, out of
inertness, maybe; and slack still uses shadow passwords. shouldn't i,
for one, be better off using a distribution 'accepted' by the mc
developers - in the long run?


Maybe, in the "middle run".  If I had slackware around I would probably
have re-added shadow passwords, just "because I can".  I really don't want
to have anything security related that the users say doesn't work and I
cannot fix without spending significant efforts on it (I didn't even have
spare place on the hard drive back then).

However, mcserv is not secure by design, since it sends passwords
unencrypted.  So, in the _long_ run, somebody would sniff your password,
and that would be your real password from /etc/shadow.

As I see it, mcserv is not meant for systems capable of running sshd, ftp
server and mc itself.  It's a great tool for running on something like
OpenAP (http://opensource.instant802.com/) with 4Mb RAM and 1Mb ROM,
sitting on your table behind corporate firewall (and even then, nfs is
better).

When sftp support is added to mc, when a tiny ftp server is added to
busybox (http://busybox.net/), when the ftp support in mc is improved,
then I'll be in a better position to remove mcserv.  For now, I'm open to
fixes that work.

Believe me, if somebody cared about mcserv with shadow passwords enough to
ask in the mailing list, and if he or she gave valid arguments why it's 
needed, I would have added this problem to the TODO list already.

Miguel's argument that mc is useful for establishing connections without
being root is not applicable to /etc/shadow, which is only readable by
root.  You have run mcserv as root to use /etc/shadow.

Why should I fix something that nobody can be bothered to report.  Not to
mention that lseek() (and hence the viewer) over mcfs was broken on i386
(and perhaps on most 32-bit little-endian architectures) in mc-4.6.0-pre1
(released in August) and I'm yet to see a single bugreport.

-- 
Regards,
Pavel Roskin

Follow-Ups:
- Re: Software platform for mc development.
  - From: Mathieu Roy

References:
- Re: Software platform for mc development.
  - From: christian laubscher

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]