On Sep 17, 2016, at 19:30 , Jeffrey Walton <noloa...@gmail.com> wrote:
> Hi Everyone,
> CVE-2016-7420 has me questioning some of the wisdom in config.recommend and 
> config.h.

Me too. :-)

> config.recommend removes undefined behavior, but it requires user to do 
> something special. I believe most users don't need the compatibility provided 
> in config.h. Failure to use config.recommend is a replay of not defining 
> NDEBUG for production/release builds when using other tools, like Autotools, 
> CMake, Eclipse, Xcode, etc.

In other words, that’s what everybody should be using, unless there are very 
good reasons not to.

> If RTFM was going to work, it would have happened by now.

You cannot possibly believe in RTFM? :-) 
*Nobody* R TFM, y’know… :)

> Making users do something special to get into a good configuration also 
> violates Peter Gutmann's "Defend, Don't Ask"* rule. As a consequence, I'd 
> like to move config.h to config.compat; and move config.recommend to config.h.
> Any thoughts or objections?

I say - good move, and about time!
Mobile Mouse      mouse...@gmail.com

You received this message because you are subscribed to the "Crypto++ Users" 
Google Group.
To unsubscribe, send an email to cryptopp-users-unsubscr...@googlegroups.com.
More information about Crypto++ and this group is available at 
You received this message because you are subscribed to the Google Groups 
"Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cryptopp-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to