On Sun, Jan 27, 2019 at 01:07:05AM -0500, 0sjfoij...@firemail.cc wrote: > Recently on LCA2019, Joel Sing made a presentation about "Security > Vulnerability Mitigations"[1] > (very good, btw). He suggests function strlcpy(3) as a secure API. > In the same conference, though, Kees Cook ("Making C Less Dangerous in the > Linux kernel"[2]), > recommends strscpy() as more secure. So, my question is: what's the best to > use? > If anything, strscpy() made things more INsecure, by adding another confusing variation on a well-defined API that has proven itself.
strscpy reeks of "Not Invented Here", "Misplaced Hubris" and "Design by committee" syndrome, which happens so very often in Linux-land. Their only saving grace is darwinian: there are so many lemmings over there that ludicrous ideas tend to get replaced by better ideas over time.