On Sun, Jan 27, 2019 at 01:07:05AM -0500, 0sjfoij...@firemail.cc wrote:
> Recently on LCA2019, Joel Sing made a presentation about "Security
> Vulnerability Mitigations"[1]
> (very good, btw). He suggests function strlcpy(3) as a secure API.
> In the same conference, though, Kees Cook ("Making C Less Dangerous in the
> Linux kernel"[2]),
> recommends strscpy() as more secure. So, my question is: what's the best to
> use?
>
If anything, strscpy() made things more INsecure, by adding another
confusing variation on a well-defined API that has proven itself.
strscpy reeks of "Not Invented Here", "Misplaced Hubris" and "Design by
committee" syndrome, which happens so very often in Linux-land.
Their only saving grace is darwinian: there are so many lemmings over there
that ludicrous ideas tend to get replaced by better ideas over time.
