On Jul 28,  7:20pm, "Nathan J. Williams" wrote:
} jnemeth@victoria.tc.ca (John Nemeth) writes:
} 
} >      When you consider all the squawking that the OpenBSD crowd does
} > about why their code is so secure because they audit it amongst other
} > things, I want it to not have the bugs.  SSH is an extremely important
} > security related application.  It shouldn't have security holes.
} 
} I'm always stunned that people can write what they consider to be
} security-important code in a language with as many safety pitfalls as
} C. While [Open]SSH has had a handful of logic vulnerabilites, there
} have also been quite a few bounds-check vulnerabilites of the kind
} that language designers have known how to avoid for nearly thirty
} years.

    I'm not.  Pratical reality dictates that portable code be written
in C.  However, most of the pitfalls are well known.  And, people that
are supposedly experts in writing secure code shouldn't fall into
simple traps such as overrunning arrays (especially if they audit the
code).

}-- End of excerpt from "Nathan J. Williams"