Re: Theo chiming in on strlcpy

To: David Holland <dholland-pkgtech%netbsd.org@localhost>
Subject: Re: Theo chiming in on strlcpy
From: Marc Espie <espie%nerim.net@localhost>
Date: 2013年12月21日 20:22:05 +0100

On Sat, Dec 21, 2013 at 07:10:46PM +0000, David Holland wrote:
> On Sat, Dec 21, 2013 at 06:51:07PM +0100, Marc Espie wrote:
> > Oh, you can borrow from us (for the "recognizing bad code"), we've
> > been patching the compiler and the libc to warn about strcpy and
> > friends for years. (the compiler, because otherwise, the built-ins
> > tend to vanish)
> 
> Right, because all uses of strcpy are bad. Yeah.
No, only about 99% of them. There are many many developers out there,
and most of them don't know how to write reasonably secure code.
Yeah, you're probably the 1% that uses strcpy correctly the first time.
But think about it. Less gifted developers are going to use it incorrectly.
Or go write impossible-to-audit messes.
I prefer having my code go 0.5% less fast, but not to have to spend hours
auditing wacky wacky wacky string stuff.

Follow-Ups:
- Re: Theo chiming in on strlcpy
  - From: John Nemeth
- Re: Theo chiming in on strlcpy
  - From: David Holland

References:
- Theo chiming in on strlcpy
  - From: Marc Espie
- Re: Theo chiming in on strlcpy
  - From: Hubert Feyrer
- Re: Theo chiming in on strlcpy
  - From: Marc Espie
- Re: Theo chiming in on strlcpy
  - From: David Holland

Prev by Date: Re: Theo chiming in on strlcpy
Next by Date: Re: pkgsrc frozen as of now
Previous by Thread: Re: Theo chiming in on strlcpy
Next by Thread: Re: Theo chiming in on strlcpy
Indexes:

Home | Main Index | Thread Index | Old Index