From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by sourceware.org (Postfix) with ESMTPS id E7902385802D for ; Tue, 19 Jan 2021 08:27:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E7902385802D Received: by mail-pl1-x62e.google.com with SMTP id s15so10068769plr.9 for ; Tue, 19 Jan 2021 00:27:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=P/MA97wvMHiOY0KfUWjwi8cOdrY5ix0QXa39C/qVMVQ=; b=cXYKNoIIW4NrHSuijas7xDlpUHPsbtvuMbjSNJ0rFVLEKcuvR8QPvOjm1lzGvzsiRK H+GuyZxJrLoqeruK1Fl4ZiFDB1aKdzR/MRs0DCmMxS5dPDvw6+7jVkJCCYPoOuGjJyap Nxq4DgKj3/4VZoA1z8DIGxZDVDwVZZ1mDuIL3YlakzydsLkLtgYe8ySJvnWLDHRRlJ/A PLYfjvKTP8Lr04lW4BUToZ4E8kRPbpggo4U7KyoIlWVWuvFThFECdpQAeJQV71CKRJh5 uy60z2B8cUuHFy6StOHmab3rOZMtsXhHSFmhoDOfSutbnz83IDACxLkHbdKG8HBg52sw Z9Xw== X-Gm-Message-State: AOAM531YIQ9/+UD4s49IqK+oOPxQysF5xNBf8UteYyVw0TTvUfoYon+W WDpFtmVF+EPxcpk1ZUxuO7E= X-Google-Smtp-Source: ABdhPJwp9WkGxKmQndXteHaRKb/YSpQML4sg9aYwGFpUlLFlm0BVz9gYElNkSAziQEmD6tow5Fn65g== X-Received: by 2002:a17:90a:d3d3:: with SMTP id d19mr4267653pjw.196.1611044826201; Tue, 19 Jan 2021 00:27:06 -0800 (PST) Received: from bubble.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id n128sm18512309pga.55.2021.01.19.00.27.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Jan 2021 00:27:05 -0800 (PST) Received: by bubble.grove.modra.org (Postfix, from userid 1000) id 90BF847DA2; Tue, 19 Jan 2021 18:57:01 +1030 (ACDT) Date: Tue, 19 Jan 2021 18:57:01 +1030 From: Alan Modra To: Siddhesh Poyarekar Cc: binutils@sourceware.org, fweimer@redhat.com Subject: Re: [PING][PATCH] [RFCv2] Document Security process for binutils Message-ID: <20210119082701.GX26219@bubble.grove.modra.org> References: <20210108095941.417093-1-siddhesh@gotplt.org> <53ac9309-bb52-3291-b307-33076b9d0468@gotplt.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53ac9309-bb52-3291-b307-33076b9d0468@gotplt.org> User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2021 08:27:08 -0000 If you are serious about security then "don't run any of binutils as root" is sufficient advice. I don't think any of this documentation in info files is necessary for binutils, and I'd rather not see more people fuzzing binutils. As someone who has spent rather a lot of time over the past year responding to asan, ubsan, and fuzzed object file bug reports, I can tell you that the great majority of those reports do not fix real bugs. By "real bugs", I mean bugs that might conceivably be triggered by real object files created by compilers or assemblers. Yes, we do have libbfd and libopcodes that are used by more than just binutils and gdb, but the number of projects is small. -- Alan Modra Australia Development Lab, IBM