On Fri, Apr 11, 2014 at 5:23 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 11/04/14 17:30, Carlos E. R. escribió:
On 2014-04-11 21:42, Andrey Borzenkov wrote:
В Fri, 11 Apr 2014 20:01:53 +0200 "Carlos E. R." <> пишет:
I know little of how the vulnerability works,
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Thanks.
I love this paragraph:
+++···················· Lessons
What can we learn from this?
I'm a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before.
I'm not a fan of C. But I have been paid to use it, so I used it.
This suggestion frequently comes up.. particulary from people that suggest implementing this stuff in C++ .. what will happen if that were the case ? the library in question will be disfavoured or not considered for widespread use. Only projects with an existing C++ codebases such as KDE or libreoffice will take advantage of it.
I'd suggest that this would be the case only if badly done. If I were asked (and paid) to undertake such a task, one of the requirements I'd impose is that while the guts of the thing is implemented in C++, there'd be a suite of C functions that provide the interface for the DLL. While I have worked on projects that used libraries written in C in products mostly written in C++, it can be done the other way around; but it ain't easy. I know, and like, both C and C++, but I am not masochistic enough to undertake such a task if I didn't have to (or unless someone was willing to pay me enough over a few years to let me buy, and retire to, a mansion in Victoria BC ;-) And, it is harder than much more effective options that are available. On the other hand, I'd argue that there is nothing wrong with continuing on with the product being written in C. What I'd recommend, instead, is that, if the manpower can be found, beef up the unit and integration tests, and more aggressively perform security audits on the code. While I would not ask a junior programmer to do so, it is not especially hard for someone with more than a few years experience to write secure C code; as long as proper design documentation is maintained. Cheers Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org