Re: [Dbmail-dev] Security Checkup

Sun, 16 May 2004 14:37:21 +0200 (CEST)

I like the use of certain utilities to find possible flaws in a program. splint (www.splint.org) has helped me find some possible bugs in DBMail and other projects. Valgrind is very useful for run-time checking, etc. Still, using your brain cells is best way of preventing and detecting bugs.
Posting the output from a program like flawfinder isn't helpful in any way. Using flawfinder to find a possible bug, fixing the bug, posting the patch, and explaining why this patch fixes something is helpful. 

Ilja



Chris Nolan wrote:


Agreed!


As a C programmer, I know that there are many functions that are part of 
the standard library that are problematic. That's why good C programmers 
are sought after, as being good means that you know about this problems 
and deal with them as part of your craft.



Additionally, for future reference, we already have excellent tools for 
doing static analysis on code. My uni actually requires all students to 
have their code pass a specific instantiation script for gcc with no 
output on stderr before submission on all coding assignments (the error 
checkng arguments it turns on are really sadistic) and lint usage is 
advocated heavily.



Thing is, I don't need to tell the DBMail crew this. If they can figure 
out the cause of the md5() problems they were having a while ago (which 
they did), they can certainly debug their own code!


Best regards,

Chris

Aaron Stone wrote:


This is simply obnoxious. Please be so kind as to begin posting useful 
reports

and well thought out patches or remove yourself from this mailing list.


Those coding have made their best efforts at avoiding common problems, 
buffer
overflows, etc. Simply listing all of the occurrences of functions 
known to be

problematic does not help anyone. We all have grep, and we use it.


If you were to take the time to read through the code associated with 
these
"problem" reports, it would be immensely appreciated. By merely 
posting the
results and expecting that we're going to jump up and down and start 
auditing
everything, you demonstrate the worst of all development attitudes 
possible.


Aaron


Dan Weber <[EMAIL PROTECTED]> said:

 


I found a new little programmer called flawfinder.  Here is a report
from dbmail-2.0.

-- Dan Weber

  



[load of obnoxious encoded bullshit snipped]

--

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://twister.fastxs.net/mailman/listinfo/dbmail-dev

 



_______________________________________________
Dbmail-dev mailing list
Dbmail-dev@dbmail.org
http://twister.fastxs.net/mailman/listinfo/dbmail-dev






















					Reply via email to