:: Re: [DNG] Systemd Shims
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Steve Litt
Datum:  
To: dng
Betreff: Re: [DNG] Systemd Shims
On Wed, 19 Aug 2015 18:25:45 +0100
Rainer Weikusat <rainerweikusat@???> wrote:

> Edward Bartolo <edbarx@???> writes:
> > I am not assuming anything and understand the risks of buffer
> > overflows. The first step I am taking is to make the code function.
> > The second step is further debug it until it behaves properly and
> > the third step is to correct any potential security issues.
>
> Realistically, the first step is 'make the code function', the second
> step is 'graduate from university based on your thesis' and the 3rd
> was called 'heartbleed', IOW, that's not going to happen in this way.
> If you're doing string processing in C, try to do it correctly from
> the start. That's much easier than retrofitting proper length/ size
> handling onto some working code.


LOL, hey guys, cut Edward some slack. He whipped this up in one day,
when the rest of us, especially I, were sitting on our hands *with
respect to a Wifi tool*.

He'll obviously change the strcpy() to strncpy(), or buf=(char *)
malloc(sizeof(char) * strlen(src)) later, and if he doesn't, we will.

In The Cathedral and the Bizaar, Eric Raymond says the following:

==================================================================
When you start community-building, what you need to be able to present
is a plausible promise. Your program doesn't have to work particularly
well. It can be crude, buggy, incomplete and poorly documented. What it
must not fail to do is (a) run, and (b) convince potential
co-developers that it can be evolved into something really neat in the
forseeable future.
==================================================================

In one day, Edward has accomplished the preceding. With very simple
code having few if any dependencies. And it's short enough that
retrofitting won't be a problem.

Having no wifi on this box, I haven't been able to run his thing yet,
but I bet I could run it without a front end, just by making a couple
test-jig shellscripts.

Edward, you just keep doing what you're doing. Any rough edges or
insecurities you don't smooth out, there's an army of people who can do
that.

SteveT

Steve Litt
August 2015 featured book: Troubleshooting: Just the Facts
http://www.troubleshooters.com/tjust