Steffen Dettmer wrote: > * Crispin Cowan wrote on Fri, Jun 22, 2001 at 09:47 -0700: > > > beauty is in the eye of the beholder. perl is much more legible to me than > > > c++, and i prefer c++ legibility to many other languages. > > You are definitely on crack. PERL is world renowned as the "write only > > programming language." PERL provides five ways to do any given > > thing. This makes it convenient to do rapid prototyping, > ... > > Unfortunately, it also means that the odds are that the author > > of the software you're trying to read chose a different way to > > do something than the one you're familiar with. > > Perl is a complex and big language. Because of this it's more > hard to learn of course. An interesting claim, given that this thread started from the claim that Perl is so easy to learn that clueless newbies do it, resulting in lots of bad code. > But if you try to make reable code with > perl, it's possible. It is a given that it is possible to write secure, readable code in ANY programming language. In discussing the security merrits of a programming language, we are not talking about the possible great heights of achievement in that language, we are talking about the depths of horrible coding practice that are possible (or common) in that language, and the difficulty of a source code auditor in finding such bad practice. Perl is VERY bad in that regard. > > > > Scripting languages such as Perl are useful for quick hacks, but > > > > I do, for the above reasons. > > I disagree here. You can write really nice classes / packages > with perl. What you *can* do is irrelevant. What is relevant is what bad things newbies and idiots do, and how hard that is to detect. > If you need to shot you in the foot you can do, it's not > job of an language to prevent this (I know the exceptions :)). It IS the job of a secure language to prevent you from shooting yourself in the foot. That's what distinguishes secure languages like Java and ML from flexible languages like C and Perl. > > No, it is very easy to write perl programs. To be secure, they > > would have to be audited, and auditing them is hard because > > PERL is hard to read. > > Let's say: Some Perl programs are hard to read. Well, and of > course it's helpful to have some comments at the right place, > i.e. in regular expressions. It's possible. But MANY Perl programs are hard to read. Perl's design ENCOURAGES the writing of hard-to-read programs. I'm talking about the impact of the language itself, not the quality of some programs written in that language. Great software can and has been written in many bad languages. > > This is true. However, we're talking about the merrits of the > > programming languages. Neither Perl nor C/C++ are very good > > for security. > > Compared with C, I thing perl is really secure. What is the basis for this claim? Security bugs in Perl code are rampant, especially in CGI/web applications. These bugs tend not to be loudly reported, because they are not major components of major OS vendor's systems. Rather, they're cute little web apps that are distributed ad hoc. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 19:22:23 PDT