[throttle]

Haven't you heard about the egregious buffer overflow vulnerabilities found recently in Ruby? Not a good idea to use it for anything serious in light of those, IMO.

[jrockway]

I'm not a Ruby fan, but wouldn't finding those buffer overflows make it more secure? Now that they've been found, they're fixed. (Sure, it could be indicative of overall careless design, but I don't think that's the case here. A few silly mistakes, now no longer a problem.)

Finally, Ruby has more than one implementation. Finding a hole in one implementation says nothing about the language overall.

[tptacek]

Yes. Everyone else: find a large C codebase that has shipped without an integer overflow. Go ahead. I'm waiting.

[tptacek]

Want some help? Don't bother with qmail. Daniel J. Bernstein managed to ship a version of qmail with an integer overflow.

(That's the only vulnerability ever found in qmail, and it wasn't exploitable --- Postfix has had much worse).

[jrockway]

Too bad the original qmail is nearly useless these days. (I had a class with DJB in college, and used qmail for quite a while. Eventually I got overrun with spam and switched to something that would reject messages immediately after virus/spam scanning them.)

The point is that writing simple software in C is possible. But writing complex software is very very hard.

[tptacek]

Every mail server I've ever run has been qmail, including my current company's current mail server, which backs a relatively popular blog and a pretty healthy number of press hits with @matasano.com mail addresses, along with several decently active open mailing lists, and I simply don't have any of these problems you're talking about.

If you took a class with Bernstein, you might be familiar with the ISP whose entire mail operation, including customer POP and virtual hosting, I ran on qmail --- that'd be EnterAct. So yeah, I'm not buying your "qmail is too simple to matter" argument. If you want to chase it down, I'll be happy to show you where the last few Sendmail vulnerabilities were found. Clue: not in the crazy Sendmail features that qmail lacks.

But that's besides the point. You didn't answer my question.

Name a piece of code of comparable complexity to qmail that's never had an integer overflow. Here's another hint: Perl isn't one of them.

[throttle]

The mistakes are so amateurish that it should raise questions about the rest of the codebase (i.e. the defects which are yet to be found)...

[j2d2]

What projects have you done?

[jrockway]

should raise questions about the rest of the codebase (i.e. the defects which are yet to be found)

It has.

[tptacek]

By who? Cite someone who matters.

[tptacek]

Haven't you heard about JF's talk at PH-Neutral and the memory corruption vulns they found in Python and Perl? Not a good idea to use those for anything serious either. I guess we're all stuck with Erlang.