On Thu, Oct 26, 2006 at 08:23:34PM +0900, SODA Noriyuki wrote:
> Isn't it better to remove syslog_r() from libc as soon as possible,
> at least until this issue is settled?
> Since leaving it in libc may cause an ABI problem.

I tend to agree.  I had it in my local tree because I needed it to
compile something from OpenBSD.  But looking at it, it's really just
not possible to make it safe, when users can pass it arbitrary format
strings.

The idea that we could "fix" it by documenting exactly which
format strings are safe seems like an incredibly bad one, too -- it's
just irresponsible to provide an interface that confusing and then
pretend that users will read and comprehend every last shred of
documentation, so that they don't screw up.

If we have this interface, code that tries to use it to be signal-safe
will compile and link cleanly, which is not a good thing.  At the very
least, if it's going to stay in our tree, it needs a compiler or linker
warning.

We should provide a safe, syscall-only fixed-string syslog() equivalent
for use in signal handlers.  It's pretty much the best we can do.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart