SJS's Journal: Have Axe, Need Grindstone

How the lessons of the past are so easily lost....

According to SecureCoding.Cert.Org, using a goto is the recommended way to write secure code. Let's just forget about how goto is universally abused by mediocre and undisciplined programmers to create comprehensibility and maintainability nightmares, and concern ourselves only with the ideal situation.

Bah.

The example is a clever bit of sleight-of-hand. A single-entrance-multiple-exit-no-goto approach is contrasted with a single-entrance-single-exit-using-goto approach. The appearance is that apples are being compared to apples, but what's actually going on is that apples are being compared to potatoes (i.e., earth apples).

The "this is how you write the code without gotos" example really should be code that's as equivalent to the "this is how you write the code with gotos" example. And if the authors can't see a way to write that sort of code (it's pretty damn obvious, IMNSHO), they're not really qualified to make the sort of judgement they're making.

It may be that one could argue that the goto-using code is still cleaner, but if you don't do a reasonable job in creating the contrasting code, that argument rings hollow. It's arguing in bad faith. It's dirty pool. It's *slimy*.

Cert doesn't get a biscuit.