where's your automation ? still waiting for it. how come there are still, literally THOUSANDS of opensource software out there with lots of trivial security holes that nobody is fixing ? I, for one, am EAGERLY awaiting your work to fix that.
-
-
readelf | grep rand. There are NOT thousands of FOSS projects using rand where they need a csPRNG.
1 reply 0 retweets 0 likes -
right. you have all opensource programs compiled and greppable on your machine. I did not say THOUSANDS of FOSS using rand. I said THOUSANDS of trivial security holes. Not all of them are related to rand. I'm talking about scaling. Any individual check is basically trivial.
1 reply 0 retweets 0 likes -
Replying to @espie_openbsd @RichFelker and
... but still, there are THOUSANDS of opensource projects that fail those basic security checks. Explain that away, if it's such a simple problem to solve. At least, we are taking steps. Yep, even when it flies in the face of ISO, which is frankly, not that helpful.
2 replies 0 retweets 0 likes -
Replying to @espie_openbsd @RichFelker and
this looks so much like the strlcpy all over again. Just because 1% of coders know how to handle strings safely without strlcpy does NOT mean tweaking things for the 99% is not a good idea.
1 reply 0 retweets 0 likes -
Adding a useless function is a non-breaking change. Not comparable to breaking an existing one.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @espie_openbsd and
Removal of gets was good because it clearly has no valid uses. rand() and mktemp() both have lots of valid uses.
1 reply 0 retweets 0 likes -
In the end, you don't get the big picture. We're doing the changes, we're validating the results, which includes fixing whatever breaks. The cost of fixing visible breakage is waaaay lower than keeping around silent security holes.
1 reply 1 retweet 0 likes -
Putting
#pragma poison for rand in default env & requiring manual override would have solved the problem without silent wrong behavior.2 replies 0 retweets 0 likes -
About pragma whatever: that's a joke, right ? if people were reading warning messages and fixing them, we wouldn't have sprintf's all over the place in 2017.
1 reply 0 retweets 0 likes
Poison is a hard error.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.