tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Theo chiming in on strlcpy

On Sat, Dec 21, 2013 at 08:22:05PM +0100, Marc Espie wrote:
 > >  > Oh, you can borrow from us (for the "recognizing bad code"), we've
 > >  > been patching the compiler and the libc to warn about strcpy and
 > >  > friends for years.  (the compiler, because otherwise, the built-ins
 > >  > tend to vanish)
 > > 
 > > Right, because all uses of strcpy are bad. Yeah.
 > No, only about 99% of them.  There are many many developers out there,
 > and most of them don't know how to write reasonably secure code.
 > Yeah, you're probably the 1% that uses strcpy correctly the first time.
 > But think about it.  Less gifted developers are going to use it incorrectly.
 > Or go write impossible-to-audit messes.
 > I prefer having my code go 0.5% less fast, but not to have to spend hours
 > auditing wacky wacky wacky string stuff.

Not only have I thought about it, I've been patching insecure code as
long as just about anyone. I just don't happen to agree with your

David A. Holland

Home | Main Index | Thread Index | Old Index