|
|
|
|
|
|
by jspdown
23 days ago
|
|
|
I find this kind of rewrite both disrespectful and completely useless. Useless because the difficulty isn't getting to a working state but maintaining it. You now have to build a community around it to make any of this worthwhile. What would this software be worth if security issues weren't patched and bugs weren't fixed? You can't do this alone.
And I find it disrespectful because people have spent decades building this, and you're taking all that collectively built knowledge to create something that will compete with the project itself. I hope people will restrain themself from doing this at least in the name of good ethic. I fear this is going to hurt OSS a lot. I hope people will hold back from this, if only out of respect for the work that came before. I fear it could do real damage to OSS. It would discourage the maintainers whose effort makes any of it possible. |
|
|
But this is more about memory safety - you can have immense respect for the giants who built these tools but also be worried that memory safety might become an even bigger deal. If someone found a memory zero day in nginx or openSSL for example that is a very big deal!
I think this is one strategy we should look into, hopefully people in the C community look into other options like project Glasswing/ next generation fuzzers etc. When the world of security is changing so fast it is good to get a lot of shots on net.