Re: Theo chiming in on strlcpy

To: Marc Espie <espie%nerim.net@localhost>
Subject: Re: Theo chiming in on strlcpy
From: David Holland <dholland-pkgtech%netbsd.org@localhost>
Date: Sat, 21 Dec 2013 19:38:23 +0000

On Sat, Dec 21, 2013 at 08:22:05PM +0100, Marc Espie wrote:
 > >  > Oh, you can borrow from us (for the "recognizing bad code"), we've
 > >  > been patching the compiler and the libc to warn about strcpy and
 > >  > friends for years.  (the compiler, because otherwise, the built-ins
 > >  > tend to vanish)
 > > 
 > > Right, because all uses of strcpy are bad. Yeah.
 > 
 > No, only about 99% of them.  There are many many developers out there,
 > and most of them don't know how to write reasonably secure code.
 > 
 > Yeah, you're probably the 1% that uses strcpy correctly the first time.
 > 
 > But think about it.  Less gifted developers are going to use it incorrectly.
 > Or go write impossible-to-audit messes.
 > 
 > I prefer having my code go 0.5% less fast, but not to have to spend hours
 > auditing wacky wacky wacky string stuff.

Not only have I thought about it, I've been patching insecure code as
long as just about anyone. I just don't happen to agree with your
dogma.

-- 
David A. Holland
dholland%netbsd.org@localhost

Follow-Ups:
- Re: Theo chiming in on strlcpy
  - From: Marc Espie

References:
- Theo chiming in on strlcpy
  - From: Marc Espie
- Re: Theo chiming in on strlcpy
  - From: Hubert Feyrer
- Re: Theo chiming in on strlcpy
  - From: Marc Espie
- Re: Theo chiming in on strlcpy
  - From: David Holland
- Re: Theo chiming in on strlcpy
  - From: Marc Espie

Prev by Date: Re: pkgsrc frozen as of now
Next by Date: Re: Theo chiming in on strlcpy
Previous by Thread: Re: Theo chiming in on strlcpy
Next by Thread: Re: Theo chiming in on strlcpy
Indexes:

Home | Main Index | Thread Index | Old Index