[Numpy-discussion] How security holes happen
William Ray Wing
wrw at mac.com
Mon Mar 3 13:39:48 EST 2014
On Mar 3, 2014, at 11:59 AM, Chris Barker <chris.barker at noaa.gov> wrote:
> And significant indentation!
>
> really, no one beat me to that?
>
> ;-)
>
> There was a nice Blog post about this from a Google Chrome developer -- less critical than I'd think, who pointed out that it's really hard to write unit tests for this sort of thing, due to the need for a LOT of scaffolding -- but why integration tests didn't find it is beyond me....
>
> Also -- code review anyone?
>
> (not that my code is well reviewed or thoroughly tested -- but I'm not writting security code used my millions of people...)
>
> The other oddity is that Apple is saying that they don't know when or how this got into the code -- do they REALY not have a decent version control system???? Or maybe they are being nice to whoever did make this mistake...
>
> -Chris
Apple has been known to contract out and/or buy some of its software from third parties. I wouldn’t be a bit surprised to discover that this was part of such a package. It represents such a common and fundamental library that it might well be the sort of thing they found it cheaper to buy.
Of course, that begs a follow-on question or two - who else might be using it, and was the cost savings worth the loss of reputation?
Bill
More information about the NumPy-Discussion
mailing list