"Secure coding" audit checkers and Kerberos

Nicolas Williams Nicolas.Williams at sun.com
Wed Oct 15 17:36:15 EDT 2008

On Wed, Oct 15, 2008 at 04:29:55PM -0500, John Hascall wrote:
> > The MIT-krb5-uses-snprintf() train departed long ago.
> So be it, but it does seem a little odd to be worried about
> a code-analysis tool false-flaging perfectly safe uses of
> strcpy/strcat and suggesting that the fix is to use some
> thing known to have a whole array of missing/bad/dangerous
> implementations.

I agree.  I think this is not really a necessary excercise unless it is
part of a larger styling excercise that aims to prevent lots of unsafe


More information about the krbdev mailing list