Received: with LISTAR (v1.0.0; list gopher);
 Tue, 15 Jan 2002 13:02:18 -0500 (EST)
Return-Path: <stefan.koerner@db.com>
Delivered-To: gopher@complete.org
Received: from gate1.de.deuba.com (gate1.de.deuba.com [193.150.166.51])
	by pi.glockenspiel.complete.org (Postfix) with ESMTP
	id F17CB3B811; Tue, 15 Jan 2002 13:02:16 -0500 (EST)
Received: by gate1.de.deuba.com
          id TAA183906; Tue, 15 Jan 2002 19:02:00 +0100
Received: from Deutsche Bank Mail Backbone by ebn00pgh01.de.deuba.com
	id xma155980; Tue, 15 Jan 2002 19:01:59 +0100
Received: from sdbo1001.db.com by imr2-e1.esb.eur.deuba.com
         id g0FI1wc20788; Tue, 15 Jan 2002 19:01:58 +0100 (MET)
Subject: [gopher] Antwort: Re: finally i find other gopherfans... (gn
 maintainer)
X-Priority: 3 (Normal)
To: John Goerzen <jgoerzen@complete.org>
Cc: <bkarger@scn.org>, ripclaw@rocklinux.org, gopher@complete.org
From: "Stefan Koerner" <stefan.koerner@db.com>
Date: Tue, 15 Jan 2002 19:01:54 +0100
Message-ID: <OF6DB1E919.1DD14F33-ON41256B42.006111EB@db.com>
X-MIMETrack: Serialize by Router on sdbo1001/Eschborn/DeuBaInt/DeuBa(Release
 5.0.8 |June
 18, 2001) at 01/15/2002 07:01:58 PM
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-archive-position: 332
X-listar-version: Listar v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: stefan.koerner@db.com
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:listar@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Listar version 1.0.0
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher



hi john !

> > i have an entire mirror of the 1997 site archived on tape,
> > and the tarball for the last official release up on my homepage
> > at http://www.rocklinux.org/people/ripclaw/software/gopher -
> > sorry for not having a gopher, it wasn`t secure enough.
>
> I'm glad to hear about someone maintaining gn!  I had thought it had
> died out into oblivion.

john frank nearly forgot about his (bastard) childe as he called it
between the lines.

> > seeing other people release something the like is an enourmous
> > boost to my morale, and will finally get me onto my ass and fixing
> > some of the source soon.
>
> Excellent :-)
>
> If you need any resources (esp. CVS repository or some such), let me
> know.

thanks the offer, i`m port maintainer at rocklinux.org, i can get the
resources. i just do not like remote CVS, so i keep stuff up there in
tarballs and scp it up there.

> > since you guys probably went through the same thing,
> > where is sufficient info on security related changes
> > (str*n* functions in C) avialable ?
>
> Hmm.  You might start here:
>
> http://rr.sans.org/threats/buffer_overflow.php

thanks.

> Basically, these functions are often unsafe:
>
>   strcpy
>   strcat
>   sprintf
>   gets
>
> It's because you can copy a string larger than the destination into
> it.  In place, you'd want to use the "n" functions -- strncpy, etc.

i know that they work by having you name the number of byte to copy,
but the glibc documentation for it was too sketchy and the differences
between e.g. the various *nprintf variants and the internally used form=
ats
did not clearly arise into my mind after reading the documentation
and the usual glibc cruft.
especially i did not see where the usage/performance advantages where a=
t.

i did a bit research and ran ITS4 against it, the warnings are avialabl=
e at
http://www.rocklinux.org/~ripclaw/gn-its4.tar

since this is the first time i do a source audit, help would be appreci=
ated.
the source tarball is located at
http://www.rocklinux.org/people/ripclaw/projects/software/gopher/

if someone could e.g. pick a nice case and make a sample on that.
i tried some, they compiled and it worked, but i did not feel too sure,=

since i had no time to mess with c for almost half a year now.

> > my dreams currently focus on a gopher-only multithreading server
> > with ssl/tsl support and a ssh-for-telnet trade.
>
> Nice.
>
> You might want to look over CVS diffs from UMN gopherd to get an idea=

> of the stuff that has been changed.

did anything fundamental (e.g. protocol extensions) change ?
anything that could possibly break compatibility is of interest.
(tried to get xgopher 1.3 work yesterday, still having minor (spare tim=
e)
problem with it not accepting gopher.quux.* as a startup host.)

> > i ran into some compile problems with gopher-3.0.2 on my box,
> > i`ll find time and figure out.
>
> You might want to send the build log to me and I'll see what I can
> find.

i`m sure it is about library locations and ./configure options I need.
if i run into anything unusual, i`ll tell you, else i`ll try packaging
if for rocklinux soon.



kind regards,


stefan


--

Diese E-Mail enth=E4lt vertrauliche und/oder rechtlich gesch=FCtzte Inf=
ormationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail=
 irrt=FCmlich erhalten haben, informieren Sie bitte sofort den Absender=
 und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbef=
ugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If =
you are not the intended recipient (or have received this e-mail in err=
or) please notify the sender immediately and destroy this e-mail. Any u=
nauthorized copying, disclosure or distribution of the material in this=
 e-mail is strictly forbidden.
=