lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: cseagle at redshift.com (Chris Eagle)
Subject: Coding securely, was Linux (in)security

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Paul Schmehl
>...
>
> But it shouldn't be the job of the writer of a subroutine to verify the
> inputs.  The writer of a subroutine defines what the appropriate inputs to
> that routine are, and it's up to the *user* of that subroutine to use it
> properly.  The entire concept behind OOP is that you cannot know what's in
> the "black box" you're using.  That makes it incumbent on you as the
*user*
> of a subroutine to use the correct inputs and to *verify* those inputs
when
> necessary.
>

That is the most backward thing I have ever heard.  So you are saying all I
need to do as a programmer is tell you not to pass a negative number/null
pointer/un-initialized value... to my function and I am off the hook.  All I
can say is that I am glad utdallas doesn't have you teaching programming.
The fact that you are unaware what lies inside the black box in no way
relieves the responsibility of the designer of the black box to make sure
that it behaves predictably under all input cases.

Chris


Powered by blists - more mailing lists