May 9th, 2003 04:42 PM
This obviously varies developer to developer. In the case of the OpenBSD team, for example, the developers are using the stack protection technologies to enhance the security. They don't rely on it, nor do they 'get lazy'. Auditing of strcat and strcopy, as well as other insecure functions, is still very much alive in cases where the developers are dedicated--dedicated enough to keep spitting out code that is much more secure even if the stack protection mechanisms fail.
If the dev's rely on the protection, the code is only as strong as the protection. If they use both the more secure calls and stack protections, the code is more secure. Either way, the protection tends to enhance security, and this is the point I was trying to make.
Any more thoughts, anyone?
To whoever negged me w/ reason: "hypocrite"
1) you spelled it wrong
2) how am I being hypocritical?
3) at least explain your reasoning or make it publicly known
Have you filled out an ID-10-T or PEBKAK form lately?