This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: 3.2 PATCH: Ada parallel bootstrap fixes

On Tue, 14 May 2002, Robert Dewar wrote:

> > the Ada maintainers.  This includes security issues, as well as very basic
> > issues of integration with GCC build/install (such as not needing separate
> > make gnatlib_and_tools when bootstrapping from top level, and installing
> > info manuals by default).
> I am not aware of any security issues that we (or I) consider significant.
> I know that Florian has raised some issues, but we do not consider these
> significant. Are you referring to something else here.

I'm referring to his open security PRs, ada/4482 and ada/5903.  You say
you don't consider them significant, but there's nothing in the PR audit
trails to explain this analysis; certainly to anyone examining the bug
database, they look like security bugs that have not been addressed or
even responded to.  Even if security bugs are hard to exploit, good
practice (not just for free software) is that they are responded to
rapidly - and that if there's no response after maybe a week (or no fix
after a reasonable time), it's entirely reasonable for the submitter to
send an advisory to bugtraq noting lack of response from the maintainer.
If a release (here 3.1) has to go out with known security holes, at the
very least there should be something in the release notes explaining the
holes and what users should do to avoid being affected by them.

(This also applies to any other known security holes.  libtool encoding
build paths into installed .la files - other/3525 - is one.)

Joseph S. Myers

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]