-
It’s been over a decade since I’ve programmed in C. I read through the source code for this project and now I remember what I hated about C.
There’s a ton of laziness in this code about checking types. It’s not self-documenting at all. There’s a lot of
if (!timeout),if (!ptr),if (!...)where that...could be an int, a pointer, a char, or any number of other things. Then you see a lot of commits trying to fix bad assumptions that those values would be 0. For example, in the timeout case the code initially only checked whether it was 0 or nonzero. Then later there was a commit to take into account the fact that the timeout could be negative.I have no idea what this function does but in any sane modern language that function would return a type that you could switch over if the expected behaviors are for timeout < 0, timeout == 0, and timeout > 0.
The commit that changed
else if('\\' == *ptr) {to this
else if('\\' == *ptr && ptr[1]) {is only because of C’s uniquely bad string type
There are literally hundreds of commits fixing memory leaks.
My bet is that if you were to re-write curl in a newer language, you might miss out on some functionality but you wouldn’t have nearly as many security holes.
-
-
I’m super curious where you thought you were going with this? Some weird form of “since theres no alternative, (this is the best way|stop bitching about it)”? Or maybe “well if it’s so bad, then you get in there and fix it!”?
Are we not allowed to comment on bad source code simply because its widely used or that we haven’t written a similarly popular library? Objectively bad source code can and does exist. This code wasn’t written by just one person, it was written by many.
Maybe you were genuinely asking for examples on other software. If so, you should know that your demand for examples comes off as vaguely hostile. And then to ask everyone who doesn’t understand you to “grow up” reinforces the perceived hostility in your original comment.
My apologies if you’re already aware of all this, the last thing I want is a confrontation.
-
I read an airy
My bet is that if you were to re-write curl in a newer language, you might miss out on some functionality but you wouldn’t have nearly as many security holes.
and I asked for for backup on the implied comparison. It’s easy to assert that something that works is terrible compared to what you imagine it should be, but there are actual engineering reasons why such a high percentage of the internet machinery is written in C/C++ or Java and not in some “newer language”. What are the examples of solid, widely used, systems components written in something newer or better and what does the CVE track of those examples look like. If you have them, that would be interesting. If you don’t then the critique is lacking traction.
-
-
-
-
-
This is petty and poorly thought out.
-
-
I definitely agree with you. Being critical of your tools is how you get better tools.
For this though, to take a bunch of subjective articles wholesale and glue them together as a affirmation that something is bad shows a lack of willingness to consider why that something was ever brought into existence. It’s just bad form.
-
-
-
It means you don’t write the kind of code that appears in the hero image of the article.