著者: Hendrik Boom 日付: To: dng 題目: Re: [DNG] Systemd Shims
On Wed, Aug 19, 2015 at 01:50:22PM -0400, Steve Litt wrote: > On Wed, 19 Aug 2015 18:25:45 +0100
> Rainer Weikusat <rainerweikusat@???> wrote:
>
> > Edward Bartolo <edbarx@???> writes:
> > > I am not assuming anything and understand the risks of buffer
> > > overflows. The first step I am taking is to make the code function.
> > > The second step is further debug it until it behaves properly and
> > > the third step is to correct any potential security issues.
> >
> > Realistically, the first step is 'make the code function', the second
> > step is 'graduate from university based on your thesis' and the 3rd
> > was called 'heartbleed', IOW, that's not going to happen in this way.
> > If you're doing string processing in C, try to do it correctly from
> > the start. That's much easier than retrofitting proper length/ size
> > handling onto some working code.
>
> LOL, hey guys, cut Edward some slack. He whipped this up in one day,
> when the rest of us, especially I, were sitting on our hands *with
> respect to a Wifi tool*.
>
> He'll obviously change the strcpy() to strncpy(), or buf=(char *)
> malloc(sizeof(char) * strlen(src)) later, and if he doesn't, we will.
>
> In The Cathedral and the Bizaar, Eric Raymond says the following:
>
> ==================================================================
> When you start community-building, what you need to be able to present
> is a plausible promise. Your program doesn't have to work particularly
> well. It can be crude, buggy, incomplete and poorly documented. What it
> must not fail to do is (a) run, and (b) convince potential
> co-developers that it can be evolved into something really neat in the
> forseeable future.
> ==================================================================
>
> In one day, Edward has accomplished the preceding. With very simple
> code having few if any dependencies. And it's short enough that
> retrofitting won't be a problem.
>
> Having no wifi on this box, I haven't been able to run his thing yet,
> but I bet I could run it without a front end, just by making a couple
> test-jig shellscripts.
>
> Edward, you just keep doing what you're doing. Any rough edges or
> insecurities you don't smooth out, there's an army of people who can do
> that.
>
> SteveT
Despite my comments about programming languages and reliability, I agree
with this.