Re: [PING][PATCH] [RFCv2] Document Security process for binutils

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

From: Alan Modra <amodra@gmail.com>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>
Cc: binutils@sourceware.org, fweimer@redhat.com
Subject: Re: [PING][PATCH] [RFCv2] Document Security process for binutils
Date: Tue, 19 Jan 2021 18:57:01 +1030	[thread overview]
Message-ID: <20210119082701.GX26219@bubble.grove.modra.org> (raw)
In-Reply-To: <53ac9309-bb52-3291-b307-33076b9d0468@gotplt.org>

If you are serious about security then "don't run any of binutils as
root" is sufficient advice.  I don't think any of this documentation
in info files is necessary for binutils, and I'd rather not see more
people fuzzing binutils.

As someone who has spent rather a lot of time over the past year
responding to asan, ubsan, and fuzzed object file bug reports, I can
tell you that the great majority of those reports do not fix real
bugs.  By "real bugs", I mean bugs that might conceivably be triggered
by real object files created by compilers or assemblers.

Yes, we do have libbfd and libopcodes that are used by more than just
binutils and gdb, but the number of projects is small.

-- 
Alan Modra
Australia Development Lab, IBM

next prev parent reply	other threads:[~2021-01-19  8:27 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-08  9:59 [PATCH] " Siddhesh Poyarekar
2021-01-11 20:25 ` Fangrui Song
     [not found] ` <MWHPR1201MB01108F03C7E60AF41202DC38CBAB0@MWHPR1201MB0110.namprd12.prod.outlook.com>
2021-01-12  2:57   ` Siddhesh Poyarekar
2021-01-18 19:09 ` [PING][PATCH] " Siddhesh Poyarekar
2021-01-19  8:27   ` Alan Modra [this message]
2021-01-19  8:59     ` Siddhesh Poyarekar
2021-01-26  2:46       ` Mike Frysinger
2021-01-27  3:58         ` Siddhesh Poyarekar
2021-01-27  5:36           ` Mike Frysinger
2021-01-27  6:32             ` Siddhesh Poyarekar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210119082701.GX26219@bubble.grove.modra.org \
    --to=amodra@gmail.com \
    --cc=binutils@sourceware.org \
    --cc=fweimer@redhat.com \
    --cc=siddhesh@gotplt.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).