Tightening NUT

[jimklimov]

Be inspired by work done in cURL, we are not so far behind in many aspects. Further in others...

FOSDEM 2025 tightening every bolt - with Daniel Stenberg:

• https://www.youtube.com/watch?v=Yr5fPxZvhOw
• https://www.slideshare.net/slideshow/tightening-every-bolt-at-fosdem-2025-by-daniel-stenberg/275979959

Points to ponder:

• Reproducible (tarball) builds (see SOURCE_DATE_EPOCH)
• More unit-testing and "Torture testing" with wrappers to make inner calls fail to see how outer methods deal with it (no leak/crash, etc.)
• C89 compatibility is still possible :)
• they ban use of sscanf, sprintf, vsprintf, strncpy, strcat, strncat and gets (note that fgets() has range checks and is safe(r)), and even gmtime/localtime, also LoadLibrary (we don't directly use it; WIN32 builds of libltdl might? maybe?)
  • search for "ban" in e.g. http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/curl/Makefile changelog
  • pick up their checksrc scanner? => https://github.com/curl/curl/blob/master/scripts/checksrc.pl (for complete list of methods see %banfunc and .checsrc files in various source subdirs)
  • of the listed methods, we do have some hits of strtok, sprintf (uh!), strcat and strncat (BTW why is it banned?); a bit of gmtime/localtime (in common/strptime.c fallback and include/timehead.h), wondering what would the replacement be if needed