> On a related note, I think because of Heartbleed we should never reuse
> buffers ever again. Seems logical, right? Can't trust programmers
> anyway, we're all just simple beings that can't figure out better...
There are a few lessons one could learn from it. For example, if you already have a custom allocator in place in a security critical software, use memset() to zero out any new allocated memory with may have been left holding security relevant information. This really are only a few cycles worth it. Or memset() to zero security relevant memory before you free() it. Or -- and this plays into Luas miminimalism princriple -- there is little reason to active an obscure source tree by default for everybody that is only used by a few users and maintained and looked at by few developers. Or -- and this has also been argued by a few -- reconsider the decision to write security critical stuff in C. With most highlevel languages this bug could not have happened this way. Or -- there should be more code review in security critical stuff. Or -- etc. etc.
Yes, we improve as coders by generalized learning. There are a few options in which way to go and develop -- Yes, there is not one "true" way, since ages of arguing about coding, but to deny any possible generalizations gained from experience like you did is sure one wrong way.
