This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [open-source] Re: Wish for 2002


Paul Eggert wrote:
> 
> > Date: Thu, 03 Jan 2002 10:25:48 -0500
> > From: David Wheeler <dwheeler@ida.org>
> >
> > The OpenBSD developers, who have a lot of practical
> > experience in securing applications,
> 
> The OpenBSD developers operate in a different environment from the GNU
> developers.  They take a lot of code, much of it of poor quality, and
> try to make it safer without necessarily having to understand it
> thoroughly.  The goal is mainly to prevent certain things from
> happening, not to improve the code quality or functionality.  In that
> environment, strlcpy and strlcat can be useful.
> 
> GNU applications typically are developed under a different model, with
> a set of maintainers who understand the code fairly well, and who try
> to improve the code quality and functionality.  In that model, my
> experience is that strlcpy and strlcat tend to be distractions: they
> tend to make the code noticeably harder to maintain without adding
> much safety.  That is why I recommend against their use in GNU code.

Oh please! What's the first mail I read this morning? A post to Bugtraq
about a buffer overflow in gzip (which, guess what, is a GNU app) that
was incorrectly fixed using strncpy.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]