Comments on the secure coding guidelines. Under the banned C functions: ---------------------------------------------- scanf() & family. Why not list the family of functions? Its best to be explicit. This is the only one on the list that causes some confusion for me. Not because I don't see how it is unsafe more because I don't really know the best replacement for the issue. Please add the reasoning for this being banned. Is the C++ cin a valid replacement if we need to obtain data from standard input? Is there a list of banned C++ functions?
Under Enable all defensive-code compiler options; ---------------------------------------------- I enabled the -Werror build flag for IoTivity just two weeks ago (we have been building with -Wall and -Wextra for quite a while). It is currently ON by default not OFF. It can be disabled using the build option ERROR_ON_WARN=0. This is currently limited to the Linux build only. Additionally windows currently builds with -W4 (with some selected disabled warnings) and -WX with no option to shut off those warnings. Should we change the name of the ERROR_ON_WARN build flag? Under Debugging code and backdoors: ---------------------------------------------- Does it really make since to have the same build flag control the debugging code as we used to disable the build warnings? I feel you would want these things to be independent of one another. NO BACKDOORS is a must have policy I 100% agree. George -----Original Message----- From: iotivity-dev-boun...@lists.iotivity.org [mailto:iotivity-dev-boun...@lists.iotivity.org] On Behalf Of Thiago Macieira Sent: Thursday, November 2, 2017 1:13 PM To: iotivity-dev@lists.iotivity.org Subject: [dev] Secure coding guidelines for IoTivty Hello all I took an action in the last OCF meeting to propose a set of secure coding guidelines for IoTivity. Here's what I came up with, to start the discussion: https://wiki.iotivity.org/secure_coding_guidelines The document is not complete and it is just the beginning of the discussion. It's also meant to be a live document and we should update it as we learn, though it's not meant to duplicate what's in the source code itself. PS: the page isn't linked from anywhere yet. I'd like some feedback and updates before we make it IoTivity policy. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center _______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev _______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev
