tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Theo chiming in on strlcpy

On Sat, Dec 21, 2013 at 07:10:46PM +0000, David Holland wrote:
> On Sat, Dec 21, 2013 at 06:51:07PM +0100, Marc Espie wrote:
>  > Oh, you can borrow from us (for the "recognizing bad code"), we've
>  > been patching the compiler and the libc to warn about strcpy and
>  > friends for years.  (the compiler, because otherwise, the built-ins
>  > tend to vanish)
> Right, because all uses of strcpy are bad. Yeah.

No, only about 99% of them.  There are many many developers out there,
and most of them don't know how to write reasonably secure code.

Yeah, you're probably the 1% that uses strcpy correctly the first time.

But think about it.  Less gifted developers are going to use it incorrectly.
Or go write impossible-to-audit messes.

I prefer having my code go 0.5% less fast, but not to have to spend hours
auditing wacky wacky wacky string stuff.

Home | Main Index | Thread Index | Old Index