[kaffe] Re: 'mktemp' check in configure (or kaffe shell script does not work)

[Dalibor Topic]

Helmer Krämer wrote:
> On Tue, 30 Sep 2003 15:53:33 +0900 (JST)
> Kiyo Inaba <inaba at src.ricoh.co.jp> wrote:
> 
> Hi,
> 
> 
>>I said,
>>
>>>As the subject line says, configure.in version 1.200 introduced existence check
>>>for 'mktemp' command, but it does not change anything for configure script.
>>>This command is used in 'kaffe' shell script and if we don't have mktemp
>>>(well, this is the case for me on Solaris) the final 'kaffe' script does
>>>not work properly if you set debug flag.
>>
>>If we don't do anything while configure for missing mktemp, then I think
>>this check is not needed anyway. Or, of course we can warn the user while
>>configure for the missing tool (or, just say 'See FAQ.requiredlibrary').
> 
> 
> AFAIK, mktemp is used to generate a unique filename which can
> be used for a small gdb script that's passed via -command to
> gdb. Why do we have to use mktemp here anyways? I think if someone
> wants to debug kaffe, they'll be well able to imagine a unique
> filename and set KAFFE_DEBUG_TEMPFILE accordingly, don't they?

I see two reasons that speak for using mktemp.

a) convenience of use (one you have mktemp installed). you don't need to 
bother submitting a temp file to the script. you don't need to know why 
you'd need to submit it.
b) security. mktemp creates secure temp files, where as the old method 
(let the user pick a file, or worse, use a pseudo random /tmp file) can 
lead to exploitable security holes. See 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=191866

so I'd propose adding an informative warning message to configure.in if 
mktemp is not found, and documenting it in FAQ.requiredlibrary. On the 
other hand, if you feel that the manual solution is better, I don't mind 
if you convert the code back to manual setting of KAFFE_DEBUG_TEMPFILE.

cheers,
dalibor topic