Re: PATCH: NSPathUtilities etc

[David Ayers]

Sheldon Gill wrote:

> > Some more comments on NSPathUtilities.m. I think I'd be ready to commit
> > this after addressing these comments.
>
>
> Excellent!  I'd be happy to update my submission and work with you in it's 
> integration.

I understand that you are trying to address complicated issues.  I must 
admit that I'm not convinced that this is right approach.  OTOH, I don't 
have the cycles to come up with a better solution so I won't stand in 
the way of progress.  But I have a few mechanical issues I haven't 
addressed before.  So I would be grateful if you could post your patch 
again, possibly in coherent separate posts so that the issues can be 
addressed individually.  I know its extra work but I really think it is 
needed here.

> > > /* Initialise all things required by this module */
> > > void InitialisePathUtilities(void)
>
>
> > I'd like to keep support for the root .GNUsteprc file as well, at least
> > until we decide to depreciate it.
>
>
> I thought that now was right time to do so.  It does not add functionality,  
> but the same level is provided by the new GNUstep.conf along with other 
> benefits. One might consider the new configuration file a sort of upgrade of 
> the old one, albeit one which requires changes and moving the file.
>
> I think having a root .GNUsteprc which can over-ride GNUstep.conf makes things 
> more complex without giving us any benefits.

I believe that it is important that we keep backward compatibility for a 
transition period, even if that's only a single major release cycle. 
(Note that we still have transition support for the old header 
structure.  It's on my TODO list to remove this though.)

> > > /**
> > > * Returns loginName's home directory as an NSString object.
> > > */
> > >  s = Win32GetUserProfileDirectory(loginName);
> >
> > Does this look at HOMEPATH or USERPROFILE? Should we allow the user to
> > override this with HOMEPATH, etc, if not?
>
>
> At the moment it looks at HOMEPATH first, followed by USERPROFILE. These are 
> just environment variables and so can be overridden by the user.
>
> I have code to get the real home path from API calls coming...
> that'll mean no need for environment variables...
>
> My -make changes follow the same logic but issue a warning about potential 
> problems with spaces in the path.
>
>
> > > /**
> > > * Returns the name of a directory in which temporary files can be
> > > stored.<br/ >
> > > * For unix-like systems this is usually '/tmp'.<br/ >
> > > * For MS-Windows systems this is the system temporary directory,
> > > often '%WINDIR%\TEMP\'.<br/ >
> > > */
> > > NSString
> > > *NSTemporaryDirectory(void)
> >
> > Why did you take out the creation of a secure subdirectory of temp?
>
>
> This is a bigger question.
>
> Firstly, the existing code isn't really secure. You can circumvent it. I 
> looked at changing that but things start getting quite complex.
>
> Secondly, the OpenStep and Cocoa behaviour is simply to return the temporary 
> directory.
>
> Now, what is the right behaviour from an API perspective?  Well, on one hand 
> we want a place where we can create temporary files in a secure and safe way. 
> Often, the goal is a temporary file. Pure and simple. No need for a whole 
> directory.
> On the other hand, sometimes we want to discover where {temp} actually is. For 
> example, if I want to find "/tmp/.X11-unix".
>
> Additionally, there are systems which use extended attributes and capabilities 
> for more secure/flexible behaviour.
>
> In light of these things, I think that the right thing for 
> NSTemporaryDirectory() to do is to return the path to the temporary 
> directory.
>
> Thus it serves as the basis of all operations.
> * If you want a secure directory in there write
> MyTemporaryDirectory() which does the right things for your application and 
> platform
> * If you want a secure temp file write
> MyCreateTempFile() which does the right things for your purposes
> * If you want to find, use GSFindNamedFile( NSTemporaryDirectory(), 
> ".X11-unix", nil) or whatever
>
> It does pave the way for a library of routines to do these things in various 
> ways for various platforms but I think this is a good thing.
> Creating a single use temporary file under POSIX is best done by calling 
> (f)open with the create flag, limited mode and a difficult name to guess.
> Doing the same conceptual thing under Win32 is different.
>
> In short, I strove to make things more simple and straightforward. I feel this 
> generally leads to more robust code that's both easier to use and maintain.

I can see how one can derive this from the documentation.  But IMO, this 
definitely needs a transition period for code relying on the secureness 
of NSTemporaryDirectory().  First we need a major release which 
introduces something like a GSSecureTemporaryDirectory(), have 
NSTemporaryDirectory() return that same directory and prominently 
announce that NSTemporaryDirectory() won't return a secured directory 
but the system directory in future releases.  We can then consider 
changing NSTemporaryDirectory() for the following major release.

Cheers,
David

PS: Maybe we should create a file in CVS tracking deprecated 
features/behavior to be reviewed after each major release branch is cut.