Lately, people have started adding sprintf() -> snprintf() and str*() -> strl*() "clean-ups" to their ports.
There is value to this, but unless you can convince the upstream maintainer to incorporate the changes it turns into a Sisyphean task. We don't have the manpower to maintain our own patchsets for this indefinitely. snprintf() is in POSIX and I think ISO C, too. Except for historic platforms, it's available everywhere. strl*() is widely available, except in Linux libc. (I think Ulrich Drepper's ongoing refusal to include strl*() there is probably the single largest obstacle to safer code today.) The OpenBSD implementations can easily be included in people's software, though--they are tiny, self-contained, and under the most simple and liberal license. Please, please, if you think fixing dozens or hundreds of unsafe function calls is worth the effort, then making sure that those fixes are accepted upstream should be worth your effort as well. -- Christian "naddy" Weisgerber [EMAIL PROTECTED]
