On Fri, Oct 29, 2021 at 09:53:25PM +0200, Lennart Poettering wrote: > On Fr, 29.10.21 13:57, David Cantrell (dcantrell@xxxxxxxxxx) wrote: > > > Has there been any consideration for potential security risks with > > regards to the data in this string? Of concern to me are encoding > > formats, size limits or reporting, and structure formats. The > > proposal notes JSON, which has been involved in security related > > problems in the past. > > One of the reasons we are sticking to JSON here is so that we can use > battle-tested parsers we already use for other stuff. you want a > parser that is already used, verified, tested elsewhere, and JSON > makes that easy. A homegrown parser of an entirely new special purpose > format is a lot more problematic security-wise. In particular, the implementation in systemd is undergoing continuous fuzzing in oss-fuzz, so we hope any simple issues have been already caught. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
