> In error checks that detect “impossible” conditions, just abort. There is usually no point in printing any message. These checks indicate the existence of bugs. Whoever wants to fix the bugs will have to read the source code and run a debugger. So explain the problem with comments in the source.<p>But then the person <i>RUNNING</i> the program will only see this:<p><pre><code> Abort trap: 6
</code></pre>
And that's all the info you'll get from their bug report.<p>So please ignore this directive and print a descriptive message always, complete with file and line, and the values that led to the impossible situation. Then you can get helpful bug reports like:<p><pre><code> BUG: flush.c:51: buff_offset (65535) must not be greater than 20!
Abort trap: 6</code></pre>
> When you want to use a language that gets compiled and runs at high speed, the best language to use is C. C++ is ok too, but please don’t make heavy use of templates. So is Java, if you compile it.<p>Back in the early days, this sentence was more like <i>"When you want to use a language that gets compiled and runs at high speed, the best language to use is C."</i>.<p>So we switched from a path where all major desktop environments (OS/2, Mac, Windows, UNIX) were adopting C++ to a surge in C programming, as FOSS adoption started to gain steam.<p>So here we are now, about 30 years later, trying to fix the security inconveniences caused by this manifesto.
I see that they still say:<p>>>> Please don’t use “win” as an abbreviation for Microsoft Windows in GNU software or documentation. In hacker terminology, calling something a “win” is a form of praise. You’re free to praise Microsoft Windows on your own if you want, but please don’t do so in GNU packages. Please write “Windows” in full, or abbreviate it to “w.”<p>But they have removed some other guidance:<p>>>> Instead of abbreviating “Windows” to “un”, you can write it in full or abbreviate it to “woe” or “w”.
Always interesting to see standards across different groups. The kernel is also very interesting, being very strict and having reasoning that not all may agree with, but has proved to work well.<p>I think C is a beast for standard in general due to it's rogue history. Now when a language like Rust or Go is created, standards are released with the code via formatting tools that enforce consistency (which I'm all for).<p>The amount of time I've seen C code with inconsistencies within a single file (naming, spacing, you name it) from fellow students back when I was in college was insane.<p>Enforced code style standards are great, even if I don't agree with them. Go's public vs private distinction is a good example. I really am not a huge fan of the pascal vs camel case to denote private and public (it's grown on me a bit, but still not a fan), but I know their code is going to be reasonable (in looks) because Go is very picky about how the code looks.
><i>In most Unix utilities, “long lines are silently truncated”. This is not acceptable in a GNU utility.</i><p>Would be interested to know examples for this.
How about "always use gcc/g++ in memory-safe compilation mode?"<p>I'd like to be able to type something like:<p><pre><code> gcc -march=x86-64-safe my_buggy_server.c
</code></pre>
Come to think of it, that should probably be the default.