| > As of this writing, Cap’n Proto has not undergone a security review This is outdated, I should remove it. Cap'n Proto has been reviewed by multiple security experts, though not in a strictly formal setting. I trust it enough to rely on it for security in my own projects, but yeah, I am cautious about making promises to others... > Something like that has to be rigorously tested or proven to be free of buffer overflows. I've done a bunch of fuzz testing with AFL and by hand. I've also employed static analysis via template metaprogramming to catch some bugs. See: https://capnproto.org/news/2015-03-02-security-advisory-and-... (That was... almost five years ago.) > The "zero overhead" claim goes away as soon as you send variable length items. Then there has to be some marshaling. Space for messages is allocated in large blocks. The contents of the message are allocated sequentially in that space and constructed in-place. So once built, the message is already composed of a small number of contiguous memory segments (usually, one segment), which can then be written out easily. Or, if you're mmaping a file, you can have the blocks point directly into the memory-mapped space and avoid copying at all -- hence, zero-copy. So no, there is no marshaling. |