I like the clarification:

Let me also touch this subject while talking security problems. This bug, the oldest so far in curl history, was a plain logic error and would not have been avoided had we used another language than C.

Otherwise, about 40% of all security problems in curl can be blamed on us using C instead of a memory-safe language. 50% of the high/critical severity ones.

Almost all of those C mistakes were done before there even existed a viable alternative language – if that even exists now.

  • Blue_Morpho@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    14 days ago

    As the article says, the problem was the logic. They had thousands of hours of model checking.

    • solrize@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      14 days ago

      They had 1000s of hours of fuzz testing. Model checking means something different.