Closed hce closed 8 years ago
mrkkrp
commented
8 years ago Well, the library is designed to be as pragmatic and practical as possible. I don't have the time / need to actually test if it's significally slower than zlib-conduit that we currently use and honestly don't see any point in switching. Adding an option to use yet another "backend" would only make it more complex without any real benefit.
hce
commented
8 years ago ...except that it is not prone to buffer overflow attacks because it's not written in C. I can try to add it myself if you prefer, though.
mrkkrp
commented
8 years ago I'll be honest with you, I don't see much value in this. If you like you can play with it in a fork and if its performance is at least 90 % of current implementation we can talk about switching. I'm mainly interested in speed because this is what I need for my own projects. I run the code in controlled environment where it's unlikely that buffer overflow attacks could be attempted. Thank you for your proposition and interest anyway. Closing for now.
hce
commented
8 years ago I, OTOH, use it to read zip files that anyone can upload to a website. Would it be an option for you to add a flag of some sort so one can choose which zlib to use?
Sure I can fork, but I'd rather avoid that unless you consider your lib bugfree and feature complete ;-)
mrkkrp
commented
8 years ago No, the library is not perfect of course, I'm in favor of improvements of any sort, but this particular proposition seems to solve problems I don't have. If you limit size of files that can be uploaded, how attacker can use buffer overflows? (I'm not an expert in computer security, but known vulnerabilities are unually fixed fast).
hce
commented
8 years ago Buffer overflows do not require large payloads. Of course, libz probably is perfectly safe, but then again, maybe it isn't. And since it is used very widely, a bug found in there might be used on a large scale. Some people even harvest links/IPs that accept certain types of input and then wait for a bug to be found... And unfortunately, some bugs are never reported publicly...
I haven't had time yet to have a look in detail at pure-libz, but I will probably do so this weekend. I expect it to be (maybe significantly) slower than C libz, but if the user of your lib could choose which library to use.... both use cases would be handled nicely IMHO...
Hi! I stumbled upon a pure haskell libz implementation by the smart folks at @GaloisInc ... ( https://hackage.haskell.org/package/pure-zlib ) Wouldn't it make sense to add that to your library? I haven't tested that lib yet in terms of performance, but IMHO having a 100% haskell pure zip library would be awesome...