From: Robert Ramey (ramey_at_[hidden])
Date: 2019-10-22 18:30:14
On 10/22/19 11:03 AM, Vinnie Falco via Boost wrote:
> On Tue, Oct 22, 2019 at 10:40 AM Robert Ramey via Boost
> <boost_at_[hidden]> wrote:
>> Did you look into using boost.spirit for parsing?
> I didn't even consider it. All of the parsers that I work with accept
> untrusted inputs,
I don't buy this as a reason - in fact I'd call it reason to specify and
enforce a formal grammar.
>so when writing a parser I prefer to have no
> external dependencies. Spirit is an enormous dependency and scares off
> potential users.
This I can appreciate and sympathize with.. It points to the problem
that C++ and boost have been wrestling with forever - dependency management.
I'm pretty doubtful that anyone can write a demonstrably correct parser
without using such a tool. So if security is an issue perhaps you might
want to write a test program based on spirit. This would give one
confidence that your library won't introduce security holes - at least
on the inputs tested. This might be appreciated. Since users don't
typically build/run tests (though I've advocated that they should!)
there wouldn't be any kind of dependency issue for them. And it would
give you the option of writing 1000++ test cases without having to check
them all by hand.
Just food for thought - feeding the beast.
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk