This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: [open-source] Re: Wish for 2002
Paul Eggert wrote:
>
> > Date: Thu, 03 Jan 2002 10:25:48 -0500
> > From: David Wheeler <dwheeler@ida.org>
> >
> > The OpenBSD developers, who have a lot of practical
> > experience in securing applications,
>
> The OpenBSD developers operate in a different environment from the GNU
> developers. They take a lot of code, much of it of poor quality, and
> try to make it safer without necessarily having to understand it
> thoroughly. The goal is mainly to prevent certain things from
> happening, not to improve the code quality or functionality. In that
> environment, strlcpy and strlcat can be useful.
>
> GNU applications typically are developed under a different model, with
> a set of maintainers who understand the code fairly well, and who try
> to improve the code quality and functionality. In that model, my
> experience is that strlcpy and strlcat tend to be distractions: they
> tend to make the code noticeably harder to maintain without adding
> much safety. That is why I recommend against their use in GNU code.
Oh please! What's the first mail I read this morning? A post to Bugtraq
about a buffer overflow in gzip (which, guess what, is a GNU app) that
was incorrectly fixed using strncpy.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html