FlashFXP Forums - View Single Post

darkone · 08-15-2005, 04:04 AM

For several reasons, I'm not all that worried about users finding remote exploits by investigating the source code:
1) There's so much of it.
2) Complexity of code is much higher than in ordinary multithreaded daemons. Core is not tracable by the most, because there are various processors (threads) performing each task.
3) All memory allocations are being traced, so resources leaks are very unlikely. Daemon is able to recover ~100% of time, if there is not enough memory/resources available.
4) There is no 3rd party code in the source tree (with exception of sha1 library).

But following factors prevents us from doing so:
1) Possible, and likely IP-thefts; using algorithms that have taken months to develope without permission in non ioftpd related projects. It would be next to impossible to monitor this.
2) Illegal (unofficial/underground) code branches would be likely to emerge, if we decided not to implement certain feature(s) that group of users wants.
3) While in many cases other developers could speed up the process, we would have to have a skilled person validating all the input. (outfit needs to be the same, some algorithms need to be profiled and trimmed and the most importantly, not everything is worth implementing)

08-15-2005, 04:04 AM
darkone Disabled Join Date: Dec 2001 Posts: 2,230	For several reasons, I'm not all that worried about users finding remote exploits by investigating the source code: 1) There's so much of it. 2) Complexity of code is much higher than in ordinary multithreaded daemons. Core is not tracable by the most, because there are various processors (threads) performing each task. 3) All memory allocations are being traced, so resources leaks are very unlikely. Daemon is able to recover ~100% of time, if there is not enough memory/resources available. 4) There is no 3rd party code in the source tree (with exception of sha1 library). But following factors prevents us from doing so: 1) Possible, and likely IP-thefts; using algorithms that have taken months to develope without permission in non ioftpd related projects. It would be next to impossible to monitor this. 2) Illegal (unofficial/underground) code branches would be likely to emerge, if we decided not to implement certain feature(s) that group of users wants. 3) While in many cases other developers could speed up the process, we would have to have a skilled person validating all the input. (outfit needs to be the same, some algorithms need to be profiled and trimmed and the most importantly, not everything is worth implementing)