Re: Theo chiming in on strlcpy

[Marc Espie <espie%nerim.net@localhost>]

On Sat, Dec 21, 2013 at 07:38:23PM +0000, David Holland wrote:
> On Sat, Dec 21, 2013 at 08:22:05PM +0100, Marc Espie wrote:
>  > Yeah, you're probably the 1% that uses strcpy correctly the first time.
>  > 
>  > But think about it.  Less gifted developers are going to use it 
> incorrectly.
>  > Or go write impossible-to-audit messes.
>  > 
>  > I prefer having my code go 0.5% less fast, but not to have to spend hours
>  > auditing wacky wacky wacky string stuff.
> 
> Not only have I thought about it, I've been patching insecure code as
> long as just about anyone. I just don't happen to agree with your
> dogma.

Well, aren't you getting tired of patching the same mistakes again and again ?
I mostly got my opinion (what you called "dogma") when I started realizing
I didn't have enough time to fix it all. And when you start delegating, or
teaching, you start realizing what is "obvious" to you is very complicated
for a lot of people (because they don't have your experience).

Face it, the numbers are against us. We're going to be overrun by
zombies^Wjava developers^Wbeginners...

there are too many misused strcpy out there, and not enough good developers.
You can't enlighten them all. Giving them better and simpler tools is more
cost-effective.