(EDIT: Note that everyone was proceeding under the assumption that silentbits was a Tox dev, but that's apparently not true, as was corrected below. I wonder it that calls into question the original comment...)

From the github conversation:

silentbits said: "Nobody is going to risk using an external parser in such critical code."

jbangert replied: "What do you mean? not invented here? Google's core engineers are better (and their code gets more review, attention, etc). than anything we can produce."

silentbits said: "You have few exchange protocols: ITCH, OUTCH (NASDAQ), UTP MD, XDP (NYSE), PITCH (BATS). These protocols are in binary form and very easy to convert from/to C/C++ struct. If you produce critical software you want to have a code that you can be verified and tested. You can of course find external parsers for this, but all serious players do their own parsers. The only exception might be FPGAs implementation where whole is written in HDL (VHDL, verilog)."

Am I correct in assessing that the reason this is troubling is because the tox devs are saying "Everyone else is writing their own parsers, so we should write our own parsers too"?

I don't know. If you want to criticize a software project for writing their own parser, you'll also need to criticize Tarsnap, since they write their own too. Yet Tarsnap is basically the gold standard in native security software. So either Tarsnap is being equally crazy, or it's not so crazy after all. I wonder which one is the case?

I should point out that silentbits is not a Tox dev. He was only expressing his personal opinion on that matter.

My mistake, sorry. (And apparently everyone else is making the same mistake too...) I've edited my comment for clarity.

Did Tox devs express anything on the matter? It's very hard to substantiate all of this without someone who knows the Tox project.

For example, the last reply was "The Tox protocol is very easy to parse in C which means little chance of issues." Is that from a Tox dev?

That last comment was by irungentoo, who is the lead Tox dev and the one who wrote the parsing code.

The last reply to the issue:

"The Tox protocol is very easy to parse in C which means little chance of issues."

Building a homegrown parser and simultaneously expecting not to have security issues, that's true confidence.

If you actually read the code you will see that it's true.

The parsing is dead simple and written in a way that mistakes are very unlikely.

That's a really bold statement to make. And why not use a proven secure parser in the first place?

They wrote their own parser and think it's more secure than Google-backed protobufs? That's unbelievable.