[langsec-discuss] LangSec Workshop at IEEE SPW 2014, Sun May 18, 2014

Christien Rioux crioux at gmail.com
Tue Nov 26 07:55:29 UTC 2013


when will we see a language in popular use other than modula 2 with
multilevel cycles and exits is the question ... specific better is better
than vague better :)


On Tuesday, November 26, 2013, Vitaly Osipov wrote:

> >Things DO get better.  Very few people use raw GOTO statements any more
>
> Depends what you mean by “very few people”. "Goto out" is a popular idiom
> in the Linux kernel.
>
> “Freetext search: goto (17689 estimated hits)”
>
> http://lxr.linux.no/linux+v3.12.1/+search=goto
>
> Things do get better, it’s just the betterness is not evenly distributed.
>
> Regards,
> Vitaly
>
>
> On Tue, Nov 26, 2013 at 9:19 AM, Will Sargent <will.sargent at gmail.com>wrote:
>
> I generally find it helps to think about the good programmers who would
> like to improve but don't know quite how, rather than the worst.
>
> Things DO get better.  Very few people use raw GOTO statements any more.
>  It's been years since I saw people eval input.  I'd say Ruby is better for
> purpose than Perl, and Java (and the JVM) is safer than using raw C or C++.
>
> Ultimately, the nicest thing about using value objects produced from a
> recognizer is that it's a richer experience.  For the same reason that
> people want to use types and abstract data types like Option / Maybe and
> Either, they'll want to use value objects.
>
>
> On Mon, Nov 25, 2013 at 12:51 PM, Grawrock, David <
> david.grawrock at intel.com> wrote:
>
> Nils, this is almost the same as answering the question "what is the best
> programming language". The answer isn't X or Y, it is "well what is the
> program supposed to do". If your answer is always Java, please tell me how
> you are going to write Java code for a device driver that executes during
> early boot, including when memory isn't initialized yet. Don't think Java
> will fit :)
>
> You select the best tool for the job and use that. We have to get
> programmers to understand that one tool doesn't fit all and one way of
> validating and formatting input doesn't work either.
>
> But we HAVE to make this easier to use and understand, with some very
> EXPLICIT helps to get people moving.
>
> David Grawrock
> Security Architect
> 503 264 3642
>
> -----Original Message-----
> From: langsec-discuss-bounces at mail.langsec.org [mailto:
> langsec-discuss-bounces at mail.langsec.org] On Behalf Of Nils Dagsson
> Moskopp
> Sent: Monday, November 25, 2013 12:36 PM
> To: travis+ml-langsec at subspacefield.org
> Cc: langsec-discuss at mail.langsec.org
> Subject: Re: [langsec-discuss] LangSec Workshop at IEEE SPW 2014, Sun May
> 18, 2014
>
> travis+ml-langsec at subspacefield.org schrieb am Mon, 25 Nov 2013
> 10:20:39 -0800:
>
> > […]
> >
> > The hard part is going to be spending the time and effort to integrate
> > with those framework/library/language teams and get your stuff in
> > there and up-to-date.  And that's where most solutions fail.  But that
> > exactly the same difficulty that the developers face in integrating
> > your work into their apps.
> >
> > Not saying it's right, just that that's how it is.  For the best
> > security, we need to minimize the cost of using the systems.
>
> Unfortunately, few things prevent a mediocre programmer writing a quick
> hack that subverts the purpose of software designed to avoid systemic
> failure. Exhibit A: handlebars.js, <http://handlebarsjs.com/> which
> manages to introduce logic into (logic-less) mustache templates <
> http://mustache.github.io/mustache.5.html>.
>
> Having talked to proponents of e.g. Ruby on Rails and JavaScript, I am now
> firmly convinced that hipster programmers are – by and large – not
> interested in systems that work well or are easy to use, but systems that
> are either popular or give a distinction (ego) benefit. Exhibit B:
> “Power users” who complain that any system unfamiliar to them is hard to
> use, yet “grudgingly” accept the countless annoying idiosyncrasies of their
> preferred “solution”. In the end, programming is pop culture.
>
> --
> Nils Dagsson Moskopp // erlehmann
> <http://dieweltistgarnichtso. <http://dieweltistgarnichtso.net>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20131126/2bdfe97e/attachment.html>


More information about the langsec-discuss mailing list