[Owasp-esapi-c++] Boost Library

Kevin W. Wall kevin.w.wall at gmail.com
Sun Aug 7 14:21:49 EDT 2011 

On Sun, Aug 7, 2011 at 7:42 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> Hi guys,
>
> Don't take this personally, but I recommend yanking Boost (unless an
> asset gets involved who is willing to take ownership of the Boost
> gear). I've wasted too much time on trying to get the self test to
> compile and run.
>
> The library looks like C-ish to me due to all the macros - something I
> would expect to see in Microsoft's MFC. I don't think I have ever seen
> a macro used in Stroustrup's or Meyer's two books - The C++
> Programming Language, Effective STL, and Effective C++, respectively.
> Others have commented similarly.

Yup, always a bad sign. Except for cases of conditional compilation,
I always try to avoid macros and perfer consts and inline code
so you can still get proper strong typing.

> I have found the documentation to lack clarity and cohesiveness, and
> the author's link to sample projects are broken.

Is this only for Boost Test or for the other Boost libraries as well?

> I'm finding its difficult to find answers (including through the
> mailing list). The list is low volume, and when someone does answer,
> its seems to be with the "it works for me" undertone.

How about comp.lang.c++ Google Group? Probably signal to noise
ratio is intolerable there, I'm guessing.

> Others seem to have had similar problems, and the author does not
> appear to appreciate/understand that the documentation and samples
> have room for improvement.
>
> I'm also concerned that the malfunctioning test library will mean
> folks *won't* write the tests at all. Lack of or incomplete testing
> would be very bad territory to get into.

I think that's a valid concern.  The question is, have you, or
anyone else had time to find something that is decent? I think
we sort of just decided on Boost Test by default b/c we were
planning on using the other Boost libraries.

> All things considered, this library looks like a potential sink that
> could cost a lot in development time. I understand Boost is a
> collection of separate projects, but I think past performance will be
> indicative of future expectations. Its free software - you get what
> you pay for.

Do you think all the Boost libraries that we were considering are
of this low quality? If so, perhaps we need to reexamine Boost.

OTOH, if the rest of them are decent, I don't have a problem just
dumping Boost Test.

If we dump all of them, we are back to square one.

And BTW, while we are on the topic of supporting libraries, does anyone
know of a decent FOSS class library that we can use to build the
SecurityConfiguration around? Something that would support Java-style
properties files and not have a dozen dependencies would be ideal.
The advantage of using Java-like properties files is that it would save
us time (and errors) of converting ESAPI 2.0 for Java's ESAPI.properties
to some new format.

Worst case is I suppose we could build this, but I'd prefer to
reuse.  Anyone know if perhaps the Apache Foundation has something
like this?

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Owasp-esapi-c++ mailing list