From: Theo de Raadt Subject: Re: Miscellaneous LibreSSL portability fixes To: deraadt@openbsd.org, sortie@maxsi.org, tb@theobuehler.org Cc: tech@openbsd.org Date: Sun, 3 Nov 2024 05:05:39 -0700 > (Btw the breakage for 64-bit uid_t and gid_t has been small. It's mostly > just printf issues which are caught with -Werror=format. I am unaware of > any security issues so far although yes I am concerned about silent > truncation.) BTW, I believe there will be more than this. I am confident the software ecosystem contains int->string->int roundtripping, and the potential of a short buffers and missing error checking is quite plausible. It will not be easy to identify, and add checks into all those upstream locations where that might occur, because those checks will rot quickly because it becomes code not tested by upstreams. Being weird has a cost. It has to provide value to exceed the cost.