From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id 9Q8ULE+kPWTkyi4AWB0awg (envelope-from ) for ; Mon, 17 Apr 2023 15:55:59 -0400 Received: by simark.ca (Postfix, from userid 112) id A8CD51E221; Mon, 17 Apr 2023 15:55:59 -0400 (EDT) Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=RS9wYgGy; dkim-atps=neutral X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RDNS_DYNAMIC,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 5D3451E0D3 for ; Mon, 17 Apr 2023 15:55:59 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C5792385696E for ; Mon, 17 Apr 2023 19:55:58 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C5792385696E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1681761358; bh=yt6f+mAxZ8ar42kT7wWyi3ySz009XO1LLzv0FCdEVgE=; h=References:In-Reply-To:Date:Subject:To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=RS9wYgGy9UFLi5bt5iaMRzLWHDGcNbrwhtiB9Ej3NvRh0fTKIQB2W//L+/J4iAm1T w/v46Z+fCip1lQi7Gp52BJtZ+m4DdxUoqT0hWZ+LuFK2Wc4NULevssMTGLIv0YBI8A 1bCJXrSj9U+z4yxZjyaeOrM2IdfcDG9uh0WPEzKM= Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) by sourceware.org (Postfix) with ESMTPS id 9A5D83857BB2 for ; Mon, 17 Apr 2023 19:55:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9A5D83857BB2 Received: by mail-ej1-x631.google.com with SMTP id sz19so10249549ejc.2 for ; Mon, 17 Apr 2023 12:55:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681761329; x=1684353329; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yt6f+mAxZ8ar42kT7wWyi3ySz009XO1LLzv0FCdEVgE=; b=NZ6oj924ehvrXW1QvH2LxevNoGdlZBlMYr3mOW7thLFpXJ7QDqpfdd2T6VxUK101XA GV4qdMlbPw1pEZ58Sg1VlM5QbPkyzIYIAxOqoL17KYNUcdZMVj5E0C18X/vrskMe2yyv gNU6JuAo1+/eKGkqXHVNJp7ljqTq8g3fhpyTKKhNhmEHftQVkOFPraUeWWHxf7nOPTob tw2sFNl4nnFAh8jvdwI0dTdQMM+mv1BmX0GTxOXBuEYVQTjw2njHaJ4eSyX3SPQmMKk2 cm3cu4X/wVpiux1nyJ7YKW5W98Hxzk3Ntm90b7ne7T1Bewoit4G+v1TgGN4WZ684VwyJ S48A== X-Gm-Message-State: AAQBX9cFo9Y/6mD5duC4TObP/vdT85DirDUkrX8CuOaAcbsd+fuFFenT mSmo7mCxEK0O/vr7NGBkaqiiWQwXknsi+XibZM8vNg== X-Google-Smtp-Source: AKy350bjeixzPfqGlN8thjviD495nDn+LlpfY+f1YDw8nXSstnmpRk/Fawkigpjc73QBcWtcA7xfPX1rk98EYP8GttU= X-Received: by 2002:a17:907:1626:b0:94f:1d42:7902 with SMTP id hb38-20020a170907162600b0094f1d427902mr3896753ejc.8.1681761329077; Mon, 17 Apr 2023 12:55:29 -0700 (PDT) MIME-Version: 1.0 References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org> <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org> <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org> <96e2ec59-11c6-329e-18c4-bf284eb752ac@gotplt.org> <20dbbe16-c7e5-412e-0506-2118dfef5fc2@gotplt.org> In-Reply-To: Date: Mon, 17 Apr 2023 12:55:16 -0700 Message-ID: Subject: Re: RFC: Adding a SECURITY.md document to the Binutils To: Michael Matz Cc: Binutils , Siddhesh Poyarekar , Paul Koning , Richard Earnshaw , Nick Clifton , "gdb@sourceware.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Ian Lance Taylor via Gdb Reply-To: Ian Lance Taylor Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" On Mon, Apr 17, 2023 at 8:31=E2=80=AFAM Michael Matz wrote: > > On Fri, 14 Apr 2023, Ian Lance Taylor via Binutils wrote: > > > And, honestly, these are not standards that are unusually difficult to > > meet. Don't dump core, don't use up all of memory, don't have buffer > > overflows. Treat failures of this sort as security bugs to be fixed > > ASAP in minor releases. These are achievable goals. > > These are all noble goals to reach for. But the fact is that all the cra= p > CVE entries from script-kiddies with their fuzzers are mainly fixed by > Alan with his seemingly endless patience. Downstream they are the cause > of endless worries (as customers blindly _demand_ that all CVEs be fixed > by checking tickmarks on an endless list of entries they've downloaded > last week from mitre; just by virtue of the entry having a CVE number and > hence "be a serious security problem"). All of these are bugs to be fixe= d > eventually. Literally _none_ of them are in any way a serious bug > demanding an immediate fix. Next release is completely fine for that. That is definitely a fair point. My argument here may be too strong. I certainly agree that a CVE is not appropriate for a program crash. Ian