[MPlayer-dev-eng] Re: [PATCH] Runtime Option to view the configure line used

Diego Biurrun diego at biurrun.de
Tue Nov 14 00:55:14 CET 2006


On Tue, Nov 14, 2006 at 01:30:15AM +0200, Ivan Kalvachev wrote:
> 2006/11/12, Brian Murray <brian at game-sat.com>:
> >
> >On 12-Nov-06, at 11:53 AM, Diego Biurrun wrote:
> >
> >> *Please* don't top post.
> >>
> >> On Sun, Nov 12, 2006 at 11:45:56AM -0700, Brian Murray wrote:
> >>> Ok. Done. I still think a -configure-with is a good idea, but the -
> >>> msglevel likely was overkill. Now it only displays with -v.
> >>
> >> This addresses only one part of my review, the info is not printed by
> >> MEncoder now.  Also, it's not necessary to print the gcc version (much
> >> less with ugly #ifdefs), that's already part of the version string.
> >>
> >>> On 12-Nov-06, at 6:52 AM, Diego Biurrun wrote:
> >>>
> >>>> On Sat, Nov 11, 2006 at 07:52:29PM -0700, Brian Murray wrote:
> >>>>> Ok. It responds to the -msglevel option of 'config', at level 5 and
> >>>>> above.
> >>>>>
> >>>>> When bug reports are submitted, all= will catch them. Should
> >>>>> help. :)
> >>>>>
> >>>>> It still responds to -configure-with. I think this is a
> >>>>> necessity, as
> >>>>> it makes it very simple for a user to pull out the configure line
> >>>>> that was used, instead of digging through pages of output, or
> >>>>> needing
> >>>>> to learn the -msglevel syntax.
> >>>>
> >>>> This is overkill IMO.  MPlayer (and MEncoder) should just output
> >>>> this
> >>>> info in verbose mode, nothing more.
> >
> >I added it to mencoder now, and removed the #ifdef's.
> 
> I'd like to ask for a feature of this feature.
> 
> When package maintainer uses -with- options and gives full path names,
> including this info in the distributed binary could lead to a security
> risk.
> (attacker could find a way to inject file in that location that
> eventually would end up in next version of mplayer package).

This must be the most esoteric attack scenario I have ever heard of.  If
you have that much control over a packager's machine, trojaning packages
is easy...

Diego




More information about the MPlayer-dev-eng mailing list