undefined | Better HN

0 pointsturtlebits2y ago0 comments

The author spends a lot of time on how large software has gotten, even going as far as comparing the size of their image sharing tool to another.

More lines of code don't necessarily correlate to less secure - in fact, the author's tool makes a big security mistake, it doesn't strip EXIF.

0 comments

torstenvl2y ago

Not stripping EXIF metadata is not a security vulnerability.

The only EXIF-related CVE I can find is in fact the opposite. https://nvd.nist.gov/vuln/detail/cve-2021-22204

lolinder2y ago

Attack surface is about all the ways in which your software might be used to harm you or your customers. It's more than just remote code execution or DOS attacks.

For many use cases stripping EXIF is a hard requirement for user privacy and security, and it's reasonable for OP to point out that cutting that out to cut lines of code would be inappropriate in many situations.

torstenvl2y ago

Privacy is not the same as security. They are related, but distinct.

Show me the CVE that would provide any weight to the inflammatory and egregious claim that OP is a hypocrite.

2 more replies

palata2y ago

> it doesn't strip EXIF.

Which is not a security issue per se, is it? If the goal of the project is to self-host it and share it with family, then keeping the EXIF may be a feature.

geraldhh2y ago

> More lines of code don't necessarily correlate to less secure

but usually it does

j / k navigate · click thread line to collapse

0 pointsturtlebits2y ago0 comments

The author spends a lot of time on how large software has gotten, even going as far as comparing the size of their image sharing tool to another.

More lines of code don't necessarily correlate to less secure - in fact, the author's tool makes a big security mistake, it doesn't strip EXIF.

0 comments

torstenvl2y ago

Not stripping EXIF metadata is not a security vulnerability.

The only EXIF-related CVE I can find is in fact the opposite. https://nvd.nist.gov/vuln/detail/cve-2021-22204

lolinder2y ago

Attack surface is about all the ways in which your software might be used to harm you or your customers. It's more than just remote code execution or DOS attacks.

torstenvl2y ago

Privacy is not the same as security. They are related, but distinct.

Show me the CVE that would provide any weight to the inflammatory and egregious claim that OP is a hypocrite.

2 more replies

palata2y ago

> it doesn't strip EXIF.

Which is not a security issue per se, is it? If the goal of the project is to self-host it and share it with family, then keeping the EXIF may be a feature.

geraldhh2y ago

> More lines of code don't necessarily correlate to less secure

but usually it does

j / k navigate · click thread line to collapse