This is the mail archive of the
mailing list for the GCC project.
Re: 3.2 PATCH: Ada parallel bootstrap fixes
- From: "Joseph S. Myers" <jsm28 at cam dot ac dot uk>
- To: Robert Dewar <dewar at gnat dot com>
- Cc: pfeifer at dbai dot tuwien dot ac dot at, <gcc at gcc dot gnu dot org>, <ro at TechFak dot Uni-Bielefeld dot DE>
- Date: Tue, 14 May 2002 15:01:42 +0100 (BST)
- Subject: Re: 3.2 PATCH: Ada parallel bootstrap fixes
On Tue, 14 May 2002, Robert Dewar wrote:
> > the Ada maintainers. This includes security issues, as well as very basic
> > issues of integration with GCC build/install (such as not needing separate
> > make gnatlib_and_tools when bootstrapping from top level, and installing
> > info manuals by default).
> I am not aware of any security issues that we (or I) consider significant.
> I know that Florian has raised some issues, but we do not consider these
> significant. Are you referring to something else here.
I'm referring to his open security PRs, ada/4482 and ada/5903. You say
you don't consider them significant, but there's nothing in the PR audit
trails to explain this analysis; certainly to anyone examining the bug
database, they look like security bugs that have not been addressed or
even responded to. Even if security bugs are hard to exploit, good
practice (not just for free software) is that they are responded to
rapidly - and that if there's no response after maybe a week (or no fix
after a reasonable time), it's entirely reasonable for the submitter to
send an advisory to bugtraq noting lack of response from the maintainer.
If a release (here 3.1) has to go out with known security holes, at the
very least there should be something in the release notes explaining the
holes and what users should do to avoid being affected by them.
(This also applies to any other known security holes. libtool encoding
build paths into installed .la files - other/3525 - is one.)
Joseph S. Myers