Re: OT: Re: Secure popen

From: Steffen Dettmer (steffenat_private)
Date: Mon Jun 25 2001 - 02:21:10 PDT

  • Next message: KuroiNeko: "Re: CDSA-biometrics"

    * Crispin Cowan wrote on Fri, Jun 22, 2001 at 09:47 -0700:
    > > beauty is in the eye of the beholder.  perl is much more legible to me than
    > > c++, and i prefer c++ legibility to many other languages.
    > 
    > You are definitely on crack.  PERL is world renowned as the "write only
    > programming language."  PERL provides five ways to do any given
    > thing.  This makes it convenient to do rapid prototyping, 
    
    You are right when you say: it's easy to write hard readble code
    in perl. Same for C/C++. But with perl it's easy to write well
    reable code, too. Decipline has to come from the developer.
    
    Useing tree of that five ways you can even increase reability
    more, buit this depends on the style of the developer. i.e. you
    can use "if" before the statement if the condition is unexpected
    (or "seldom") and before otherwise. Better an example. If usually
    a!=0 write:
    
    $b=100/$a 	
    	unless ($a == 0);
    
    if a is usally 0 write:
    
    unless ($a == 0) {
    	$b = 100/$a;
    }
    
    unless itself is more reable than "if" (except if you come from
    C and are not trained with perl)
    
    
    > Unfortunately, it also means that the odds are that the author
    > of the software you're trying to read chose a different way to
    > do something than the one you're familiar with.
    
    Perl is a complex and big language. Because of this it's more
    hard to learn of course. But if you try to make reable code with
    perl, it's possible. If you're not familiar with hashes as
    datastructures, it's hard to understand of course, but if you
    are, it's often more intuitive as having some lists with
    pointers...
    
    > This makes it relatively hard to read the code.  In the
    > alternative, it makes it 5 times harder to fully understand the
    > PERL language by memorizing every single construct.
    
    oki, I agree.
    
    > > > Scripting languages such as Perl are useful for quick hacks, but
    > 
    > I do, for the above reasons.
    
    I disagree here. You can write really nice classes / packages
    with perl. If you use getter/setter, you can make a type-safe
    class (but only at runtime, which is not perfect, I know). You
    can reject illegal values. Same with tie, you can even force some
    int to stay in some rangs like in Ada.
    
    Perl is highly customizable. You can "use strict;" but you don't
    have to. All-in-all, I would say: With perl it's easy to write
    both unreable and reable code.
    
    > > the majority of the program crashes in this world are related
    > > to C/C++ and its use of pointers.
    > 
    > That's because C/C++ is also a type-unsafe language.
    > 
    > Perl programs don't "crash", but they do produce unexpected
    > results. Perl is at least as guilty as C of encouraging slack
    > developers into believing that their program is correct just
    > because it appears to "work."
    
    With the right coding style you can reduce that risk a lot. You
    can implement an exception-style processing if desired. Perl
    doesn't forces you to use some stlye, since I cannot know your
    problem. If you need to shot you in the foot you can do, it's not
    job of an language to prevent this (I know the exceptions :)). 
    
    > >  it is very easy to write secure perl programs.
    
    Let's say: possible. You will have at least good programming
    guidelines and of course you need to keep some attention.
     
    > No, it is very easy to write perl programs.  To be secure, they
    > would have to be audited, and auditing them is hard because
    > PERL is hard to read.
    
    Let's say: Some Perl programs are hard to read. Well, and of
    course it's helpful to have some comments at the right place,
    i.e. in regular expressions. It's possible. 
    
    > This is true.  However, we're talking about the merrits of the
    > programming languages.  Neither Perl nor C/C++ are very good
    > for security.
    
    Compared with C, I thing perl is really secure. And if it's
    unsecure, usually the "damages" of insecure perl programs are
    less than that of C programs. I.e. with the taint-mode an
    attacker may DoS your CGI, but it's not easy to exploit them (if
    the developer hadn't shoot herself in the foot :)).
    
    > Perl is good for rapid prototyping, 
    
    yep, for instance.
    
    > C is good for high performance, 
    
    for instance, yes.
    
    > Java is a much stronger contender for secure
    > programs, primarily because it is type safe.
    
    Same for Ada, yep, I has adantages to have real types, i.e. int
    ranges. 
    
    oki,
    
    Steffen
    
    -- 
    Dieses Schreiben wurde maschinell erstellt,
    es trägt daher weder Unterschrift noch Siegel.
    



    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 14:12:05 PDT