On Wed, Aug 19, 2015 at 01:50:22PM -0400, Steve Litt wrote: > On Wed, 19 Aug 2015 18:25:45 +0100 > Rainer Weikusat <rainerweiku...@virginmedia.com> wrote: > > > Edward Bartolo <edb...@gmail.com> writes: > > > I am not assuming anything and understand the risks of buffer > > > overflows. The first step I am taking is to make the code function. > > > The second step is further debug it until it behaves properly and > > > the third step is to correct any potential security issues. > > > > Realistically, the first step is 'make the code function', the second > > step is 'graduate from university based on your thesis' and the 3rd > > was called 'heartbleed', IOW, that's not going to happen in this way. > > If you're doing string processing in C, try to do it correctly from > > the start. That's much easier than retrofitting proper length/ size > > handling onto some working code. > > LOL, hey guys, cut Edward some slack. He whipped this up in one day, > when the rest of us, especially I, were sitting on our hands *with > respect to a Wifi tool*. > > He'll obviously change the strcpy() to strncpy(), or buf=(char *) > malloc(sizeof(char) * strlen(src)) later, and if he doesn't, we will. > > In The Cathedral and the Bizaar, Eric Raymond says the following: > > ================================================================== > When you start community-building, what you need to be able to present > is a plausible promise. Your program doesn't have to work particularly > well. It can be crude, buggy, incomplete and poorly documented. What it > must not fail to do is (a) run, and (b) convince potential > co-developers that it can be evolved into something really neat in the > forseeable future. > ================================================================== > > In one day, Edward has accomplished the preceding. With very simple > code having few if any dependencies. And it's short enough that > retrofitting won't be a problem. > > Having no wifi on this box, I haven't been able to run his thing yet, > but I bet I could run it without a front end, just by making a couple > test-jig shellscripts. > > Edward, you just keep doing what you're doing. Any rough edges or > insecurities you don't smooth out, there's an army of people who can do > that. > > SteveT
Despite my comments about programming languages and reliability, I agree with this. -- hendrik _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
