* David Fetter (david@fetter.org) wrote:
> On Fri, May 21, 2010 at 01:45:45PM -0400, Stephen Frost wrote:
> > k, let's start with something simpler first tho- I'm sure we can pull in
> > the glibc regression tests and run them too. You know, just in case
> > there's a bug there, somewhere.
>
> That's pretty pure straw man argument. I expect much higher quality
> trolling. D-.
Sorry, but seriously, at some point we have to expect that the tools we
use will behave according to their claims and their documentation, at
least until proven otherwise. I don't like that it means we may end up
having to issue CVE's when there are issues in things we use, but I
don't think that means we shouldn't use other libraries or we should
spend alot of time working on validating those tools. Presumably, they
have communities who do that.
As an example, consider the zlib issue that happened not too long ago
and the subsequent many CVE's that came of it. We could have reviewed
zlib better and possibly found that bug, but I don't know that it would
be the best use of our rather limited resources. Additionally, trying
to go into other code bases like that to do that kind of detailed review
would necessairly be much more difficult for those who are not familiar
with it. etc, etc...
Stephen