Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
strenholme 2 hours ago

Shameless plug time:

My own MaraDNS has been extensively audited now that we’re in the age of AI-assisted security audits.

Not one single serious security bug has been found since 2023. [1]

The only bugs auditers have been finding are things like “Deadwood, when fully recursive, will take longer than usual to release resources when getting this unusual packet” [2] or “This side utility included with MaraDNS, which hasn’t been able to be compiled since 2022, has a buffer overflow, but only if one’s $HOME is over 50 characters in length” [3]

I’m actually really pleased just how secure MaraDNS is now that it’s getting real in depth security audits.

[1] https://samboy.github.io/MaraDNS/webpage/security.html

[2] https://github.com/samboy/MaraDNS/discussions/136

[3] https://github.com/samboy/MaraDNS/pull/137

binaryturtle 43 minutes ago | parent [-]

That's a bit shameless, indeed.

dnsmasq has served me well for like an eternity in multiple setups for different use cases. As all software it has bugs. And once located those get fixed. Its author is also easy to communicate with.

Why should I switch over to something way less proven? I'm quite sure your software also has bugs, many still not located. Maybe because it's less popular/ less well known nobody cares to hunt for those bugs? Which means even if the numbers of found bugs is less in your software at the moment, and it may look more audited for this reason, it may actually be way less secure.

rgkpz 34 minutes ago | parent | next [-]

"All software has bugs" is the most meaningless statement ever. It is just used for bonding with fellow bug writers who sit at a virtual campfire and muse about inevitabilities.

Demonstrably some software has fewer bugs, and its authors are often hated, especially if they are a lone author like Bernstein. Because it must not happen!

Projects with useless churn and many bug reports are more popular because only activity matters, not quality.

zamadatix 10 minutes ago | parent [-]

"All software has bugs" so "be wary of the one trying to say they haven't had any in 3 years" not so "I guess all are equal". For extremely low security bug rates either the scope is extremely narrow, the claim is dubious, or the project is a massive effort which the community talks about directly in posts rather than plugs (e.g. curl).

daneel_w 29 minutes ago | parent | prev [-]

> Why should I switch over to something way less proven?

Must they prove their software to you? They're offering an alternative, not bargaining for a deal.