Source-Changes-D archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: CVS commit: src/crypto/external/bsd/netpgp/dist
On Wed, May 06, 2009 at 12:33:00AM +0100, Alistair Crooks wrote:
> Imagine someone embedding this library in their (embedded) product.
> Having the library dump core for what is an unusual ocurrence, admittedly
> (such as an out of memory condition, perhaps) is suboptimal, since the
> product may then have to be re-started to get a working system. This
> is too intrusive. As someone with an LCD TV which sometimes does this,
> it annoys me intensely. Names and models on request, in private.
>
> This also brings us round to a pet peeve of mine - for development
> work, dumping core is fine for exceptional conditions. Same as kernel
> panics. It's not usually wanted in production code.
Having things fail silently or go into a fugue state is not an
improvement, particularly in security code. So I'd qualify all this by
saying that end-to-end behavior should always be fail-stop.
However, I'm inclined to agree that libraries should not in general
abort on behalf of an application, and that it's the application's
responsibility to be fail-stop.
--
David A. Holland
dholland%netbsd.org@localhost
Home |
Main Index |
Thread Index |
Old Index