[MPlayer-dev-eng] Re: [PATCH] Runtime Option to view the configure line used

Brian Murray brian at game-sat.com
Mon Nov 27 17:05:40 CET 2006


On 13-Nov-06, at 4:55 PM, Diego Biurrun wrote:

> On Tue, Nov 14, 2006 at 01:30:15AM +0200, Ivan Kalvachev wrote:
>> 2006/11/12, Brian Murray <brian at game-sat.com>:
>>>
>>> On 12-Nov-06, at 11:53 AM, Diego Biurrun wrote:
>>>
>>>> *Please* don't top post.
>>>>
>>>> On Sun, Nov 12, 2006 at 11:45:56AM -0700, Brian Murray wrote:
>>>>> Ok. Done. I still think a -configure-with is a good idea, but  
>>>>> the -
>>>>> msglevel likely was overkill. Now it only displays with -v.
>>>>
>>>> This addresses only one part of my review, the info is not  
>>>> printed by
>>>> MEncoder now.  Also, it's not necessary to print the gcc version  
>>>> (much
>>>> less with ugly #ifdefs), that's already part of the version string.
>>>>
>>>>> On 12-Nov-06, at 6:52 AM, Diego Biurrun wrote:
>>>>>
>>>>>> On Sat, Nov 11, 2006 at 07:52:29PM -0700, Brian Murray wrote:
>>>>>>> Ok. It responds to the -msglevel option of 'config', at level  
>>>>>>> 5 and
>>>>>>> above.
>>>>>>>
>>>>>>> When bug reports are submitted, all= will catch them. Should
>>>>>>> help. :)
>>>>>>>
>>>>>>> It still responds to -configure-with. I think this is a
>>>>>>> necessity, as
>>>>>>> it makes it very simple for a user to pull out the configure  
>>>>>>> line
>>>>>>> that was used, instead of digging through pages of output, or
>>>>>>> needing
>>>>>>> to learn the -msglevel syntax.
>>>>>>
>>>>>> This is overkill IMO.  MPlayer (and MEncoder) should just output
>>>>>> this
>>>>>> info in verbose mode, nothing more.
>>>
>>> I added it to mencoder now, and removed the #ifdef's.
>>
>> I'd like to ask for a feature of this feature.
>>
>> When package maintainer uses -with- options and gives full path  
>> names,
>> including this info in the distributed binary could lead to a  
>> security
>> risk.
>> (attacker could find a way to inject file in that location that
>> eventually would end up in next version of mplayer package).
>
> This must be the most esoteric attack scenario I have ever heard  
> of.  If
> you have that much control over a packager's machine, trojaning  
> packages
> is easy...
>
> Diego

Is there anything else that needs to be done to get this patch  
committed to the head?

-Brian



More information about the MPlayer-dev-eng mailing list