[oe] TinyLogin

[Mike (mwester)]

Holger Schurig wrote:

> However, I like to base fear on evidence, that's why I replied.

Having spent 4 years of my life working in the security space, and a
year of that actually reviewing source code for security-related issues,
I can safely say that in my part of the world (central US), it is the
other way around:

when security is involved, fear is based on _lack_ of evidence of
correctness.

Due to its size and frequency of change the code is impossible for human
review, and due to structure of the code, it is unlikely for automated
commercial tools to be able to do much with it (I know; I tried once).

IMO (for what that's worth), we need to support the "everything is
busybox!" sort of build; there's just no alternative for small devices.
 But the problem is what do we do for that middle ground, for devices
that can't fit the entire set of "proper" tools but might not be willing
to take the security risk associated with running busybox SETUID.

I rather suspect tinylogin will live on, even if maintenance is minimal.

-Mike (mwester)