Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 26 May 2023 22:35:52 +0200
From: Jₑₙₛ Gustedt <jens.gustedt@...ia.fr>
To: Rich Felker <dalias@...c.org>
Cc: Joakim Sindholt <opensource@...sha.com>, musl@...ts.openwall.com
Subject: Re: [C23 string conversion 1/3] C23: add the new
 memset_explicit function

Rich,

on Fri, 26 May 2023 16:16:03 -0400 you (Rich Felker <dalias@...c.org>)
wrote:

> We had all of these discussions back when explicit_bzero was added,
> and it was done the way it was done because it's portable (within the
> framework of what musl already requires) and non-arch-specific, has
> zero overhead, avoids any code duplication or bad performance
> open-coding another memset variant,

My impression is that such information is quite difficult to find, but
maybe I didn't search enough. Sometimes code comments would help ;-)

Bad performance really isn't a valid argument in this case. This is
not supposed to be efficient. Any user that uses this has to know that
they are trading it for something.

> and avoids taking part in any security theater (pretending we can
> clear things we can't).

It is not about taking part. For me it is just about offering to our
users the best service for this tricky question that we may, and not
less.


Thanks
Jₑₙₛ

-- 
:: ICube :::::::::::::::::::::::::::::: deputy director ::
:: Université de Strasbourg :::::::::::::::::::::: ICPS ::
:: INRIA Nancy Grand Est :::::::::::::::::::::::: Camus ::
:: :::::::::::::::::::::::::::::::::::: ☎ +33 368854536 ::
:: https://icube-icps.unistra.fr/index.php/Jens_Gustedt ::

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.