From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) by sourceware.org (Postfix) with ESMTPS id C50F03858C78 for ; Fri, 14 Apr 2023 20:49:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C50F03858C78 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=google.com Received: by mail-ej1-x62f.google.com with SMTP id xd13so14782366ejb.4 for ; Fri, 14 Apr 2023 13:49:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681505371; x=1684097371; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hoZfOLlHE27E3+EtiZWJiPh/aTHyqQFeJh39RuvNAhQ=; b=D5a6l6qqY2qvhWKJmRVuHrb/bNACAjGuPLp2WzCUR8agtmWRmS8wBRudMKmxcCFZRl L6gfN1RHcntCWgxdyFwZEm82v4XjH0HZjHp5Hw7xqrMXws5ScL6CxLhQ85s/wHNsdNJg Rau9cd3+11QUjKAseUYhlIIIVX2+oQS275XEACwcENVFOH6QEEv8r5gzUWCeAtr5jK5w ActcN/BV7tNVrOpNLxahOcvYv9v9TUKomE2Qb1GEv63m7T2aHDfoZ/fl0j1qIQrgNCc7 3P0xFHO1fxb1KoJeYrVi0Mk26mkeQ9LezA6dPcYwF4dvIubbODYGVju7sHWMzpA+Qm7z wfhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681505371; x=1684097371; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hoZfOLlHE27E3+EtiZWJiPh/aTHyqQFeJh39RuvNAhQ=; b=B83xbF7f7IgeqKlF3C3WseWAuzuQln795dxgDMJYiNRB1M5mXWUyO8Gza1YFGG5072 x6rJ9h1uqu63FGjk14enoMcIIInyWpp7fIfoLpelh8ppx7l9HEGtcsXHz1qST2YZKW/v SMh/TLsn1D0I0x3atme2sz2EksGVpSRorcefXLsHjadgJzJ7sNDBBSBZsnESaQ43Au9H Q+fmSeTekoAgFPnN0IbSOIbgUsm2CZQCGQK3g1wL77KfDZDG9AxC/rphQ9833aguuzCV d1oLbYE5xTkb4syITMc0b/78aUzppow9ifhgOAhzZiNIzmOfcxavODYhKlynkdN/ASUj ynjw== X-Gm-Message-State: AAQBX9eWbqDUfiX/zW8+ec9ghHC5dWdAqG/bIj2qkhyU9c/1Ib5W2q/t d4BtDYm2FA2Z1daaiUpViee7wwfxmLSJ40hrvIzVzg== X-Google-Smtp-Source: AKy350YPTJNN5VMKUNNR7F6NPxkDVrObiIHTickoHmsdtAPJUVBeilyp83zj69AgYgj4Z0DqwRaU7g2ZdI40lefFTyQ= X-Received: by 2002:a17:906:3850:b0:94a:6cae:701f with SMTP id w16-20020a170906385000b0094a6cae701fmr178836ejc.8.1681505371269; Fri, 14 Apr 2023 13:49:31 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ian Lance Taylor Date: Fri, 14 Apr 2023 13:49:20 -0700 Message-ID: Subject: Re: RFC: Adding a SECURITY.md document to the Binutils To: DJ Delorie Cc: binutils@sourceware.org, gdb@sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-14.7 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,ENV_AND_HDR_SPF_MATCH,MEDICAL_SUBJECT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, Apr 14, 2023 at 12:45=E2=80=AFPM DJ Delorie wrote: > > Ian Lance Taylor via Gdb writes: > > Compilers and linkers must behave in a reasonable manner when given > > untrusted input. > > Are we confusing trusted with well-behaved? I mean, if I download a > source tree from the FSF's git server, I trust it, but it may still be > ill-behaved. Meanwhile, sources from a public mailing list may be > well-behaved but not trusted. > > I'm only posting this because Carlos and I had long discussions about > this before we set up the glibc pre-commit CI. This process takes > random patches from the public glibc mailing list, and builds them. > WHOA! That's dangerous! Yes. The patches may produce well-defined > code, but are not trusted. Those builds run in a tight sandbox to > mitigate any attack attempts. Security here is outside the scope of the > build tools. I don't expect gcc to scan for viruses or prevent people > from doing "#include ". I agree that GCC does not have to scan for viruses or strange #include statements. I am saying that you should not need to set up a sandbox merely to build code. Clearly if you want to execute untrusted code, some sort of sandbox is a minimal requirement. I'm only talking about building code (and, for objdump and friends, inspecting code). Ian