me, 2.0: google code search

me, 2.0: jose nazario beauty and the street

google code search

ok, now that i've filed a bunch of bugs found by using google codesearch, i hope you see the point: we have a moderately powerful, very large-scale code comber. arm yourself with some regular expressions and voila, you can spot bugs in dozens of projects at once. some of these may be really nasty, exploitable bugs. most are just minor annoyances.

i intentionally left out a boatload of security bugs i've found, including off by ones, web application bugs, an authentication bypass in pam_smb, what may be another security bug in another product, and more. i'm trying to be responsible when i do this. these bugs here aren't very sexy, they're minor reliability or functionality bugs. but, one of those in the wrong place can lead to a security issue, and it often does.

like i said in an earlier post, find a lot of bugs and fix 'em, and a few will be security related. the worst you wind up with is more reliable software, and that's not a bad thing. this has historically been the mantra of OpenBSD, and it has usually worked.

i'm not going to run off to bugtraq and file a slew of reports, i've chosen instead to work with the developers of the possible security bugs (and really all bugs) that i've found and get those issues fixed. now that i have been working for a commercial software development house for many years, i see how hard it is to get everything right in development and testing. stuff slips through the cracks, and the best thing you can do is respect your peers and work with them to fix minor nits. after all, i write very buggy code myself, we all do.

update: dang, the mozilla bug i found was already known. my bug on it was the second duplicate!

next Saturday, Oct 07, 2006 @ 10:05pm | previous Saturday, Oct 07, 2006 @ 03:26pm | archives

Last modified: Saturday, Oct 07, 2006 @ 03:38pm

Your Ad Here