[zeromq-dev] Vulnerability of devices to incoming messages
Pieter Hintjens
ph at imatix.com
Thu Aug 12 00:01:03 CEST 2010
On Wed, Aug 11, 2010 at 11:49 PM, Brian Granger <ellisonbg at gmail.com> wrote:
> I think the core question that this bug brings up is the following:
> In what situations do we want a 0MQ process to crash?
> Here is my simple answer: never
Here's my view.
Processes should be as vulnerable as possible to internal errors, and
as robust as possible against external attacks and errors. To give an
analogy, a living cell will self-destruct if it detects a single
internal error, yet it will resist attack from the outside by all
means possible.
Assertions are absolutely vital to robust code, they just have to be
on the right side of the cellular wall. (And there should be such a
wall, if it's unclear whether a fault is internal or external, the
design is broken IMO.)
It definitely seems more useful that zmq_send() returns an error
rather than silently dropping a message it can't process, and I'll
take a look at that tomorrow. It needs Sustrik's input, he presumably
has some reason for the current strategy.
-Pieter
More information about the zeromq-dev
mailing list