Fwd: zlib 1.2.2 released

Jason Gurtz jason at tommyk.com
Wed Nov 3 08:48:49 PST 2004

On 11/3/2004 11:15, Matthias B. wrote:

> And you think that a new library written from scratch would have fewer
> vulnerabilities? I'm sorry to disappoint you, but you are mistaken. If you
> have X man-hours to invest into security, you're better off spending them
> on code audits for the old code than on writing completely new code.

That completely depends on the state of the original code in question.  I
can't say if the zlib code's design structure is good or bad but I can
express frustration at the string of bugs being found recently.

There is a number of examples where code was rewritten with pretty much
successfully outcome rather than continuing to fight endlessly with
spaghetti.  BIND, MS IIS 6.0, Sendmail is being rewritten as we speak....
 All three of those are good examples of long strings of bugs that made it
quite obvious that there were many more not found yet.  One would think
that hopefully zlib isn't as complex as those above but then one wouldn't
think a dns server would be that complex either.

Full ACK though, rewriting should be a last resort.



More information about the lfs-security mailing list