On Fri, Jan 28, 2022 at 3:04 PM Robbie Harwood rharwood@redhat.com wrote:
Adam Williamson adamwill@fedoraproject.org writes:
...and yet despite being so easy to review it somehow had a major security vulnerability ever since it was written.
This is not a good metric. easy to review != was sufficiently reviewed, and getting sufficient code review might be the hardest problem in software engineering.
Additionally, if a project has never had an issue, it's just as likely that no one has ever really looked at it than that it's "safer".
Actually, someone had conceived that it might be a problem in 2013: https://ryiron.wordpress.com/2013/12/16/argv-silliness/
desktop@lists.fedoraproject.org