* David Fetter (da...@fetter.org) wrote: > On Fri, May 21, 2010 at 01:45:45PM -0400, Stephen Frost wrote: > > k, let's start with something simpler first tho- I'm sure we can pull in > > the glibc regression tests and run them too. You know, just in case > > there's a bug there, somewhere. > > That's pretty pure straw man argument. I expect much higher quality > trolling. D-.
Sorry, but seriously, at some point we have to expect that the tools we use will behave according to their claims and their documentation, at least until proven otherwise. I don't like that it means we may end up having to issue CVE's when there are issues in things we use, but I don't think that means we shouldn't use other libraries or we should spend alot of time working on validating those tools. Presumably, they have communities who do that. As an example, consider the zlib issue that happened not too long ago and the subsequent many CVE's that came of it. We could have reviewed zlib better and possibly found that bug, but I don't know that it would be the best use of our rather limited resources. Additionally, trying to go into other code bases like that to do that kind of detailed review would necessairly be much more difficult for those who are not familiar with it. etc, etc... Stephen
Description: Digital signature