>>> Is it a bug to use pthreads? >> In the case of security-critical software, yes, I believe it is. > Why? Because threaded software is too complex?
Loosely put, yes. > But apache is security critical, isn't it? No, or at least substantially less so - no more so than any network-exposed daemon. To pick one simple example, nobody with two brain cells to rub together runs apache as root (possibly excepting briefly during early startup - and if it doesn't throw away any such privilege long before it starts threading, I consider that a critical bug in it), whereas most of the things that use PAM must run as root. To pick another, the class of machines on which apache is unnecessary is much, much larger than the class of machines on which login and su (and, more generally, programs which by default are built with PAM) are unnecessary. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
