On Fri, Apr 11, 2014 at 6:31 PM, Carlos E. R. <carlos.e.r@opensuse.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-04-11 23:27, Ted Byers wrote:
On Fri, Apr 11, 2014 at 4:30 PM, Carlos E. R. <> wrote:
...
It seems to me that, instead of being afraid of any language, it behooves a pro to be aware of the strengths and weaknesses of all the languages he uses, and select the set thereof that best supports the functional requirements of the project he's working on.
I agree.
In the case of this bug, as in most bugs I have squashed, it is not a problem of a flaw in the language, but rather a mistake in coding, and perhaps an over-sight in the testing regime.
IMHO, C should be left to professionals and experienced programmers.
:-)
Yes, but there must be a way to develop the kids into seasoned old pros. ;-) Thus, I would teach the kids C and C++, but when it comes to developing production code, they do so only working closely with several intermediate programmers and very closely supervised by senior programmers. And, of course, nothing makes it into the code base without both unit tests and detailed code reviews. But the latter must be done with the intermediate and junior programmers, so that they can better learn what coding practices are risky, and, if needed, how the risks are to be mitigated. Personally, the educator in me, would accompany that exercise with contrived exercises that the junior programmers would have to work on with the intermediate programmers, so that they can see, in sample programs, why some practices are risky. That is, they would have to write several programs, one which includes the risky practice that was identified in the code they just had reviewed, and then write several programs to attack it, so they can see, experimentally, hands on, the nature of the vulnerability they almost created, how to exploit it, and how to write the code in the most secure manner possible. Alas, I doubt there are very many software houses that would support such continuing education of their software development staff. :-(
His first two recommendations, generally, is the more useful.
He also said we ought to:
1) Pay money for security audits of critical security infrastructure like OpenSSL 2) Write lots of unit and integration tests for these libraries 3) Start writing alternatives in safer languages
One of the biggest factors in software quality is that those that 'manage' software projects often are unwilling to support sufficient documentation and testing. That costs money (or time in the case of open source products, and there may be a shortage of manpower to get it done right). Software houses generally want the software as inexpensive as possible, and so the usual QA processes get shortchanged, or skipped altogether. His first two recommendations go hand in glove. I have seen too many software houses (and those that hire software development contractors) that provide barely enough resources to do a decent job of prototyping, and fail to fund even basic unit testing.
I agree, too.
It is good to learn that there is at least one person I agree with. ;-) Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org