"Secure coding" audit checkers and Kerberos

Nicolas Williams Nicolas.Williams at sun.com
Wed Oct 15 17:16:18 EDT 2008

On Wed, Oct 15, 2008 at 04:05:10PM -0500, John Hascall wrote:
>   1) snprintf is also non-standard
>   2) there are some horrible snprintf's out there,
>      including ones which do little more than call sprintf!

The MIT-krb5-uses-snprintf() train departed long ago.

The Consortium might well decide to [continue to] provide portable
versions of these, or that MIT krb5 will not support platforms which do
not provide at least working snprintf().  I would support either

I do object to avoiding *s*printf().  If ultimately that means that MIT
krb5 won't run on certain older systems, I really don't care.  (And if
you think I'm biased, we still support Solaris 9, complete with the onld
snprintf() semantics.  There is, of course, a bias towards "vendors" or
"distros" in what I write above.  I don't apologize for it, though I do
disclose it.)


More information about the krbdev mailing list