Microsoft - Free Development System

Website · Post by **Z-Man** » Tue Nov 08, 2005 10:53 pm

Microsoft is giving away "Express Editions" of their newest iteration of IDEs for free. See here:
http://msdn.microsoft.com/vstudio/express/
I'm carefully reading the EULA to see if you're required to sign with your blood somewhere

(It's reasonable for a platform provider to give out development tools for the platform for free, so I don't expect too many strings attached. There is no distribution restriction of the compilation result as it seems.)

I'll try to build AA with it and report back.

Website · Post by **Z-Man** » Tue Nov 08, 2005 11:22 pm

Grr. Activation required whithin 30 days. Activation requires Passport. Z-Man violently opposes Passport. Z-Man angry.

But they say on the registration FAQ that if you can't activate the installation, you can download a full installation CD ISO and that won't require later activation. I'll do that tomorrow.

hang3r · Post by **hang3r** » Wed Nov 09, 2005 2:41 am

Yes, Microsoft tend to release there products like this sometimes, as well as there betas, what gets me with the beta of VS I downloaded from Microsoft a while ago was, if you read the license it says something along the lines of "This product will refuse to start after a period of 60 days" or something along the lines of that. But it is good that Microsoft are doing things like this...

Small steps... small steps...

EDIT: ill stick to code::blocks for now

Website · Post by **Z-Man** » Wed Nov 09, 2005 10:15 am

Bwahahaha! Read this:
http://msdn.microsoft.com/vstudio/expre ... fault.aspx
A noble idea in principle, but look at the example.

Jonathan · Post by **Jonathan** » Wed Nov 09, 2005 10:49 am

Unprogrammers.

Post by **Lucifer** » Wed Nov 09, 2005 10:58 am

Am I just sleepy? It didn't make any sense to me.

Other than I got the distinct message "Since Windows has soooo many buffer overrun exploits we figured we'd just rewrite the standard C library. You see, Microsoft is an expert at fixing buffer overrun exploits, we just can't find them, that's all." Not to mention the line about buffer overruns being a problem in lots of deployed code *cough* *cough*.

Website · Post by **Z-Man** » Wed Nov 09, 2005 11:34 am

The point about the example is that strncpy already has buffer overrun protection build in via the maximal length parameter; the only way I have seen strncpy used is to pass the maximal size of the buffer there. Of course, another usage of strncpy would be to truncate strings to a length smaller than the available buffer, there the new function has some merit. It lifts the burden to do a "if ( buffersize >= desired_length )" test.

The smart tech writer wrote:If the incoming slmax parameter equals zero, the strncpy_s function will invoke an invalid parameter handler to indicate a run-time error. By default, this will terminate the program.

I really hope it checks a little more than that.

I have to admit I don't know what the "restrict" keyword is doing there, but since you manually need to pass the size of the buffer anyway, I suppose it's not doing much.

And yes, it's also about them DEPRECATING THE C STANDARD LIBRARY FUNCTIONS. But that's not funny.

hang3r · Post by **hang3r** » Wed Nov 09, 2005 11:35 am

If I start using a microsoft compiler, I will not be using /GS

, Dont like the idea of having overhead from that. Seems so stupid, maybe the /GS option should be a tutorial on how write buffer overflow free code.

Post by **Lucifer** » Wed Nov 09, 2005 11:58 am

Silly man, they can't write that tutorial because they don't know how to do it themselves.

It'd be nice if gcc supported the /gs flag though and did exactly that. Can GNU guys write buffer overrun-free code?

hang3r · Post by **hang3r** » Wed Nov 09, 2005 12:15 pm

Silly old man, anything that is developed under a GNU license that has a buffer overflow is fixed almost as fast as its released. After all, people want credit for fixing the problem as well as finding and exploiting it.

Edit: Its the open source way of life

Website · Post by **Z-Man** » Wed Nov 09, 2005 12:43 pm

Yeah right. Just making something open source means a thousand security experts will scan it for problems the minute it is released and who find all issues ten minutes later.</sarcasm>

Lucifer: there is something called "Hardened GCC" that does similar things. I consider the switch useful, too. I'll test whether the overhead really is negligible as they claim.

<opinion>The best way to avoid memory handling related security problems or other errors is not to use C style arrays or pointers to memory blocks. Use C++ containers, or even better, a managed language like Java, C# or Python</opinion>

Jonathan · Post by **Jonathan** » Wed Nov 09, 2005 12:57 pm

My opinion:
- Know what you're doing, especially in C.
- Use something like Java if you need complex memory management and have no specific needs.
But this should be obvious, like much posted here.

hang3r · Post by **hang3r** » Wed Nov 09, 2005 1:01 pm

zman: No, what im saying is people can look into the code, find the problem and fix it.

Walking Tree · Post by **Walking Tree** » Wed Nov 09, 2005 3:29 pm

Good micosoft is not (really) supporting c/c++ in vista (I believe)... They've got no clue...

I agree on the 'use java' bit: C/C++ are powerful, but dangerous if you don't know what you're doing. I am currently avoiding java and c#, but only because i have learned to have 'public static void main'... python r0x tho

hang3r · Post by **hang3r** » Wed Nov 09, 2005 4:08 pm

Zman: Ah, sorry I should have made myself more clear, by released I was referring to the bug.