Vetting the cargo

Posted Jun 14, 2022 0:41 UTC (Tue) by Matt_G (subscriber, #112824)
In reply to: Vetting the cargo by wtarreau
Parent article: Vetting the cargo

One thing that tends to happen is that someone other than the original developer will decide to "refactor" the code... 'Hey this dev has written some code to left pad, this other dev has written some slightly different code to do the same thing, everybody is writing their own version of this simple function. Wouldn't it be a smart idea to standardize and only use one version of the function? Hey why don't we use a library...'

Personally I'm of the opinion that "trivial" code like this that is commonly implemented should belong in a languages standard library. But that has it's own tradeoffs and problems. For instance what counts as trivial code? The Getpass() example from C is a good example it has been a while since I looked at it. In the old Unix textbook I have from the 90's this is the recommended way to read in passwords from the command line in a "secure" way. At some point someone determined that it might have security problems and was potentially not threadsafe. So it was depreciated from the POSIX standard. The last time I looked into it there was some message that said people could trivially write their own version if they needed the functionality. How trivial is writing something that requires a reasonably deep understanding of things like terminal attributes? Obviously POSIX has a different definition of trivial then I do...

Vetting the cargo

Posted Jun 14, 2022 13:39 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]

At some point someone determined that it might have security problems and was potentially not threadsafe. So it was depreciated from the POSIX standard. The last time I looked into it there was some message that said people could trivially write their own version if they needed the functionality. How trivial is writing something that requires a reasonably deep understanding of things like terminal attributes?

Yeah, this seems exactly backward to me. If a reasonably common function has potential security and thread safety problems, that's a sign that it probably should be handled by a library everyone has access to. If the standard implementation has problems, it's extremely likely all those hand-rolled solutions that replace it will have the same kinds of problems, but with many fewer people around to notice and fix them. Things that are common but fiddly are exactly what you're supposed to put into libraries, so it gets written carefully exactly once.