[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: [PATCH] Secure programming additions to HACKING

From: Sander Striker <striker_at_apache.org>
Date: 2002-04-23 18:55:02 CEST

> From: Karl Fogel [mailto:kfogel@newton.ch.collab.net]
> Sent: 23 April 2002 18:05

> "Sander Striker" <striker@apache.org> writes:
> > I'm sure Alex wants to contribute in that department.
> >
> > I think it is wise to 'educate' the developers in the mean time, so
> > the same mistakes won't be introduced while others are being fixed.
>
> What I'm getting at is, it'll be better to figure out some code
> changes first and *then* write the new material for HACKING, based on
> the tangible experiences in the code.
>
> That patch to HACKING would have had no effect on people's coding.
> The generic practices that it recommends most of us here already know.
> Those who don't know quickly find out anyway, because of all the peer
> review. I don't think there's any place in Subversion itself where we
> read arbitrary length data into a fixed-length array; if there is,
> it's because it slipped by a bunch of people who are well aware it's a
> no-no.
>
> The stuff about security boundaries is helpful, but it wasn't specific
> enough to actually change anyone's behavior (I didn't know what I was
> supposed to do differently, for instance). It needs concrete examples
> from Subversion to be effective, that's all I'm saying.

Ah, ...in that case: +1 :)

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 23 18:49:26 2002

This is an archived mail posted to the Subversion Dev mailing list.