This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: US-CERT Vulnerability Note VU#162289

On Wed, Apr 23, 2008 at 09:06:56AM -0400, Chad Dougherty wrote:
> David Miller wrote:
> >CERT is asking these vendors for "approval" for the text they will add
> >mentioning anything about their product.  That's the bit I'm talking
> >about.
> >
> >They are getting protection and consideration that was not really
> >afforded to GCC.
> >
> >CERT treated GCC differently.
> 
> This is not true.  The "Statement" section of the vendor status is for 
> official, usually verbatim, statements from the vendor.  The "Addendum" 
> section is reserved for our own comments, even those that may contradict 
> the vendor's response if we have reason to do so.

I disagree; it is true.  You did not ask for approval before adding GCC to
"vulnerable".   We have demonstrated  to you  by independent  testing that
other compilers are also vulnerable,  and have provided the steps that you
can use  to confirm  this.  But  you are dragging  your feet  on including
other compilers on  your "Vulnerable" list.  Meanwhile, you  still have an
unfairly slanted advisory.

If CERT is to maintain its reputation, it needs to do better.  The warning
is misdirected in any case; given the very large number of compilers that
these coding practices cause trouble for, you need to focus on the bad
coding practices, not on unfair demonization of new GCC releases.
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]