On Tue, Apr 08, 2014 at 12:43:15AM -0400, Nick Sabalausky wrote:
> On 4/8/2014 12:15 AM, H. S. Teoh wrote:
> >
> >I learned the hard way to always keep on top of the security upgrades. A year or two ago, I put off a pending upgrade for a week, and the day before I finally got around to it, my server was hacked via the same vulnerability that the upgrade would've fixed. They got root, so I had to nuke the system from orbit after backing up my data, and rebuild the server from scratch. :-( Ever since then, I've set up the system to notify me as soon as an update is available, and now I dare not delay to install it ASAP.
> >
> 
> Yea, that's a good idea.
> 
> Is that Arch? How does your querying for security updates work? Just querying for updates on security-related packages, or somehow filtering on whether a package's update is security-realted...or just a general "grab every update for everything"?

Actually, it's Debian/stable (which only gets security upgrades). I just installed cron-apt and set it up to email me about upgrades.

In theory, if I were lazy, I'd set it up to just install all updates automatically, but I do like to review exactly what gets installed before installing it, since I did get bitten before by a careless upgrade breaking existing software in a major way. (The worst instance of this was when I unknowingly upgraded libc6 to a version that's incompatible with the VPS kernel, causing the dynamic linker (and thus *all* executables) to break. I had to resort to heavy-handed tactics[1] to fix it.)


[1] Heavy-handed, as in: http://eusebeia.dyndns.org/bashcp


T

-- 
Жил-был король когда-то, при нём блоха жила.

On Tuesday, 8 April 2014 at 01:59:50 UTC, Ary Borenszweig wrote:
> On 4/7/14, 8:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>
> I think that flag shouldn't exist.

The flag is useful if the program works in a trusted environment like a developer compiling his own code on his own machine.

On Tuesday, 8 April 2014 at 01:59:50 UTC, Ary Borenszweig wrote:
> On 4/7/14, 8:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>
> I think that flag shouldn't exist.

Personally, I would never turn off bounds checking, except for maybe a single-player video game or similar.

On 4/8/14, w0rp <devw0rp@gmail.com> wrote:
> http://heartbleed.com/

Is there a link to a specific section of code where this bug is introduced? That page is massive and all I want to do is see the buggy code. :>

On Monday, 7 April 2014 at 23:28:03 UTC, w0rp wrote:
> http://heartbleed.com/
>
> This bug has been getting around. The bug was caused by missing bounds checking.
>
> I'm glad to be using a language with bounds checking.

I never got the point of not having bounds checking in C and its ilk.

All the alternative system programming languages allow disabling them, if one really needs to do so.

Which should only be done after profiling, proving it is the cause of the application not delivering the desired performance and only on the exact spot.

Me too am glad see bounds checking in D by default.

--
Paulo

Am 08.04.2014 04:11, schrieb Nick Sabalausky:
> On 4/7/2014 9:59 PM, Ary Borenszweig wrote:
>> On 4/7/14, 8:28 PM, w0rp wrote:
>>> http://heartbleed.com/
>>>
>>> This bug has been getting around. The bug was caused by missing bounds
>>> checking.
>>>
>>> I'm glad to be using a language with bounds checking.
>>
>> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>>
>>
>>
>> I think that flag shouldn't exist.
>>
>
> I think it's potentially useful on a very careful per-module basis for
> certain modules specifically intended for no compiler-inserted bounds
> checking (or better yet, for specific blocks of code). But I certainly
> would never compile a whole program with it. That's just asking for
> trouble.
>

Sounds like adding a pragma instead would be a good idea. Of course that should make any affected code automatically @system.

On Tuesday, 8 April 2014 at 01:59:50 UTC, Ary Borenszweig wrote:
> On 4/7/14, 8:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>
> I think that flag shouldn't exist.

Personally I think it should exist, but in a more controlled way, a compiler pragma.

For example Turbo Pascal has something like {$R -} code {$R +}.

--
Paulo

> I'm glad to be using a language with bounds checking.

That brings a question about dmd -release flag. I'd like a flag
to turn off asserts and contracts, but leave enabled all bounds
checking. IMHO that is not possible currently ?

On 4/8/2014 2:12 AM, Martin Krejcirik wrote:
> That brings a question about dmd -release flag. I'd like a flag
> to turn off asserts and contracts, but leave enabled all bounds
> checking. IMHO that is not possible currently ?

-release leaves bounds checking on. Use -noboundscheck to turn off bounds checking.

On 4/8/2014 1:47 AM, Paulo Pinto wrote:
> I never got the point of not having bounds checking in C and its ilk.

C hardly even has arrays.