While I'm riveted by the bug versus flaw debate - as it fundamentally illustrates the importance of discussing things from the same premise(*), I have what I would consider to be an interesting tangential issue that has been bothering me for several years. I've written many programs (in C, C++) and have never made much effort to make them input safe. I generally made sure that buffers could not be overrun by using the 'n' versions of the string functions, and I didn't consider the task too heavily. The problem is that my code is in far wider and more varied an environment than I had ever expected, and I am now concerned that I may be exposed to some form of liability. This is due to the code having not been issued with any specific exclusion of warranty; such as would be present in the agreement for the Java language/environment.
(*) It was my logic lecturer who had an anecdote about two men arguing from different buildings. A man walks along during one of the arguments and shouts to the both of them that they will never agree as they are arguing from different premises. -- Pete +353 (87) 412 9576 [M] | +353 (66) 71 42367 [H] _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
