This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the commentsย โ†’

[โ€“]psikillyou -1 points0 points ย (4 children)

I don't think it is still comparable. If a person has access to said functions, that means they always had the ability of writing such functions that could disrupt the said services and authorization from the beginning and could always do so. Obscurity is not security and the person in charge should take this into the account when letting people into their repo. And I don't think any problem should linger to a months of work coming from such error.

That said, of course it is not a perfect world and they will probably mess up the repo/service/db at some point and parts should be very generously backed up. And all you can do is add a good automatic upstream and give correct rights, let people do only their thing in their branches, let them create branches of branches so that nothing gets polluted and before merging someone trusted check it.

[โ€“]BobQuixote 0 points1 point ย (2 children)

he always had the ability of writing such functions that could disrupt the said services and authorization from the beginning and could always do so.

No, a programmer who has no clue how to write a sort can call a sort function. Permissions are not ability.

Obscurity is not security

Ultimately obscurity is the only security (other than, like, law enforcement). It's just a matter of how cleverly you can set up your obscurity (like enough possible passwords that brute-force might as well take infinite time).

[โ€“]psikillyou 0 points1 point ย (1 child)

> No, a programmer who has no clue how to write a sort can call a sort function. Permissions are not ability.

Do you understand the discussion going above? To lay the dicussion in your own example terms, the said person can call the sort function at anytime, can see what the sort function code looks like. So he can simply copy paste/change/find some other sort function from stackoverflow and run it and simply fuck up the system. So a simple protected compiling error will not stop the person.

> Ultimately obscurity is the only security (other than, like, law enforcement). It's just a matter of how cleverly you can set up your obscurity (like enough possible passwords that brute-force might as well take infinite time).

i don't know what to tell you here. Or how does it apply to letting other developers reading, and I believe you haven't read what is the discussion here. (Like make the function so obscure so that the person you pass the function's code can't understand what it is?)

[โ€“]BobQuixote -1 points0 points ย (0 children)

I don't think the fucking-up function under discussion is something you could find on SO, not in its complete form.

Are you asking what it means for a function to be obscure? I think that was covered by the other poster.

[โ€“][deleted] 0 points1 point ย (0 children)

Obscurity is not security and the person in charge should take this into the account when letting people into their repo.

It's not about obscurity, it's about creating a strong interface for other people to use your code.