Re: [boost] New JSON library from the maker of Beast!

22 Oct 2019


      On Tue, 22 Oct 2019 at 20:30, Robert Ramey via Boost
 wrote:
...
On 10/22/19 11:03 AM, Vinnie Falco via Boost wrote:
...
On Tue, Oct 22, 2019 at 10:40 AM Robert Ramey via Boost  wrote:
...
Did you look into using boost.spirit for parsing?
I didn't even consider it. All of the parsers that I work with accept
untrusted inputs,
I don't buy this as a reason - in fact I'd call it reason to specify and
enforce a formal grammar.
...
so when writing a parser I prefer to have no
external dependencies. Spirit is an enormous dependency and scares off
potential users.
This I can appreciate and sympathize with..  It points to the problem
that C++ and boost have been wrestling with forever - dependency management.
I'm pretty doubtful that anyone can write a demonstrably correct parser
without using such a tool.  So if security is an issue perhaps you might
want to write a test program based on spirit.  This would give one
confidence that your library won't introduce security holes - at least
on the inputs tested.  This might be appreciated.  Since users don't
typically build/run tests (though I've advocated that they should!)
there wouldn't be any kind of dependency issue for them. And it would
give you the option of writing 1000++ test cases without having to check
them all by hand.
I'd consider covering the thing with https://google.github.io/oss-fuzz/ instead.

Best regards,
-- 
Mateusz Loskot, http://mateusz.loskot.net