Re: Theo chiming in on strlcpy

To: David Holland <dholland-pkgtech%netbsd.org@localhost>
Subject: Re: Theo chiming in on strlcpy
From: Marc Espie <espie%nerim.net@localhost>
Date: Sat, 21 Dec 2013 20:22:05 +0100

On Sat, Dec 21, 2013 at 07:10:46PM +0000, David Holland wrote:
> On Sat, Dec 21, 2013 at 06:51:07PM +0100, Marc Espie wrote:
>  > Oh, you can borrow from us (for the "recognizing bad code"), we've
>  > been patching the compiler and the libc to warn about strcpy and
>  > friends for years.  (the compiler, because otherwise, the built-ins
>  > tend to vanish)
> 
> Right, because all uses of strcpy are bad. Yeah.

No, only about 99% of them.  There are many many developers out there,
and most of them don't know how to write reasonably secure code.

Yeah, you're probably the 1% that uses strcpy correctly the first time.

But think about it.  Less gifted developers are going to use it incorrectly.
Or go write impossible-to-audit messes.

I prefer having my code go 0.5% less fast, but not to have to spend hours
auditing wacky wacky wacky string stuff.

Follow-Ups:
- Re: Theo chiming in on strlcpy
  - From: John Nemeth
- Re: Theo chiming in on strlcpy
  - From: David Holland

References:
- Theo chiming in on strlcpy
  - From: Marc Espie
- Re: Theo chiming in on strlcpy
  - From: Hubert Feyrer
- Re: Theo chiming in on strlcpy
  - From: Marc Espie
- Re: Theo chiming in on strlcpy
  - From: David Holland

Prev by Date: Re: Theo chiming in on strlcpy
Next by Date: Re: pkgsrc frozen as of now
Previous by Thread: Re: Theo chiming in on strlcpy
Next by Thread: Re: Theo chiming in on strlcpy
Indexes:

Home | Main Index | Thread Index | Old Index