[Announce] GnuPG 1.4 and 2.0 buffer overflow

Werner Koch wk at gnupg.org
Thu Nov 30 14:16:26 CET 2006


On Thu, 30 Nov 2006 12:42, christianbiere at gmx.de said:

> Nonsense. Do you want to deny that ISO C99 is a standard?

We target C-90!  There are only handful of systems with C-99 support
(please don't look just at ggc, look alon at what systems each new gcc
version does not anymore support).

> Then send bug reports or stop supporting these systems. Do you think it's
> alright to use flawed techniques just to "support" some broken and deprecated
> systems? This might be acceptable as a temporary workaround but not more.

Portability is actually a security feature.  Only thinking Linux or
BSD is narrow minded.

> This can't be discussed often enough. Instead of repeating the same bugs over
> and over again, why don't you start to re-evaluate your tools? I'm

There are a lot of things which can be made better.  However radical
changes to a matured code basis are not an option.  And you overlook
the economic constrains: Get me financial support for documentation
and code overhaul and I will start immediatley with it.  I really wish
I could do that. First of all I need to make a living; that is as
important as to have access to a keyboard, monitor and the other
hardware.

> Because that's just a myth created by some open-source zealots. I think most

You missed the irony in my statement.

> repeating the same bugs. So you say it's a better idea to look for buffer
> overflows and other bugs, providing patches, just so that people can add these
> bugs again, instead of trying to tell them how they can avoid these in the

It is not about tools or languages.  It is about education and
experience.  Look at the polls done with first semester IT students:
Most of them do not want to learn on porgramming, but to get a high
paid manage job.  Guess what most of them eventually do: Writing C++,
Java and PHP code.  Without being interested in the field of software
architecture that leads to bad software.

Today, you look at buffer overflows but theire are more severe bugs
out in the wild.  What about all these routers distributed by DSL
providers which come with a default password and are accessible from
the Net - a valueable resource to spammers.  That is not a mere
programming fault but one which is due to the management/QC/marketing.

There are so many places to start with making software systems more
matured. Nobody is even inteerested to do the simple things first.

However, this is not the right place for such academic discussions.
The folks at http://krvw.com/mailman/listinfo/sc-l are more interested
in it.


Salam-Shalom,

   Werner




More information about the Gnupg-devel mailing list