From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bird.elm.relay.mailchannels.net (bird.elm.relay.mailchannels.net [23.83.212.17]) by sourceware.org (Postfix) with ESMTPS id F16833856DCD; Thu, 13 Apr 2023 12:00:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org F16833856DCD Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 7E8973E0E0E; Thu, 13 Apr 2023 12:00:28 +0000 (UTC) Received: from pdx1-sub0-mail-a305.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 03C9C3E074F; Thu, 13 Apr 2023 12:00:28 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1681387228; a=rsa-sha256; cv=none; b=wcS1XzmmfYtlXHY4QNZLwkN9pQ5Ht4v26U7h9+YmouIYBKkh06TEOtLUkM6mDcN9tTTbT7 7PEM3dkXyzDXE/F5NC30Nc9hV3RVZ2gbbK+k1E3D/fJn08UaMucJAw2PdC8M8tJaQ01EJ3 joe65/uLXToijQkLfhXOBxgmX3ksLP3OyzVb6VAva0QeCRzPlpUbIqmqq7dbsDQ7mkfJE/ qIPV2dF6YmLK4c6lRBNDufPkFVheBhzMyfmgOhzJYHF+gws22mIg2JwOwp3CtwptLPYOBP lH8JUEG9JRaF7ZwX4SqVDwkznEF5pTwncM/IcRlzGNRgmXivACuO4T9FzldflA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1681387228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4+yYxDs/7FS31mLCrmhhbqlTDMycfC1WhWtfZOyVChE=; b=EM8SHjnVFKfv1V8jdHRMPnHachjRWmkwCpOoEug4zBpV6jlJsiyrctbWz/vip21j91UErk IReWuGSpMpy1YnOZliubYKh29M8z7BqD31Lu6VRivrxj8M8tiBVZg/dXW2XhdqSyEOlMOW 0GO6xtBE0eTYh+PgewRkI0bTJiRTJPV2wg8MyuKX6+ygSO4pAaBeMdhbJUttJsPZ2KNK48 mkqughfqSQQ2POQNu7mzPRj4CYug3OyLOFr8qPMA4q/iLtQogMa7B3CY89kRr96ZTHMk0S NDNvg5+L91x33WcdRDQZMCWwIDq2XZ2/ZUJigm1KWbRq/qAY3ZPEA8SOtbv8qg== ARC-Authentication-Results: i=1; rspamd-548d6c8f77-7zmhx; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Cure-Cooperative: 6f5c268351f7db97_1681387228313_1116590967 X-MC-Loop-Signature: 1681387228313:1711765968 X-MC-Ingress-Time: 1681387228312 Received: from pdx1-sub0-mail-a305.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.193.168 (trex/6.7.2); Thu, 13 Apr 2023 12:00:28 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-09-174-91-45-153.dsl.bell.ca [174.91.45.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a305.dreamhost.com (Postfix) with ESMTPSA id 4Pxynl2j1szHq; Thu, 13 Apr 2023 05:00:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1681387227; bh=4+yYxDs/7FS31mLCrmhhbqlTDMycfC1WhWtfZOyVChE=; h=Date:Subject:To:Cc:From:Content-Type:Content-Transfer-Encoding; b=wlAVxWxUjZWCsCMG+uwAA8GSecrtKtxZNqS9VotiC8D2b62jZ9ypW6Yvd9lZMkI2B aDNCBAnDMRMeCNlGp8UjeZ/zjmMEgmih6DFO9Rv3JSmYGq4M22+8oBvenkF5ag4dCo 0JNXbcYJIaFxPFsXnGKxihuFmVOZKTYmkuxdS4HQG6a2MsWTQ70+VoEx4BXZT2ZvDE 7VG81DFu4hieetfZX9wPRgJuLwRgYvfh0rHYBFGtpcDJF+1RTX7iQD4O0UJswfgBMt Xx2hpqe56WoYjzxu0Xa36TxD3vfTeC3tmhglhkubBks4jJruS6U0BlLvaJz2wTK3ys aC0e6KZhDUiqw== Message-ID: Date: Thu, 13 Apr 2023 08:00:26 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: RFC: Adding a SECURITY.md document to the Binutils Content-Language: en-US To: Alan Modra Cc: Richard Earnshaw , Nick Clifton , Binutils , "gdb@sourceware.org" References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com> <5b147005-bd28-4cf9-b9e7-479ef02cb1ad@foss.arm.com> <5d044987-39eb-a060-1b2b-9d07b1515e7d@gotplt.org> <73bc480a-a927-2773-8756-50350f76dfbf@gotplt.org> <7f76e17d-f9fc-92cb-0bc3-99cd155a1c00@gotplt.org> From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3027.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MEDICAL_SUBJECT,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-04-13 01:16, Alan Modra wrote: >> That's not a crossing of privilege boundaries; > > I know. Ah, I see. You were saying that only the very narrow case of > a privilege escalation will be considered a "security bug". Fair > enough I suppose, but that's close to the much simpler and more easily > understood: > > "binutils makes no claim to being secure, ergo there are no security > bugs". More like, "don't put Turing complete interfaces out on the internet without sandboxing for everyone to abuse, that's insecure" :) I hope to put out something similar for gcc too, and pretty much every compiler/translator out there because they're not programs that one puts out on the internet and think that everything will be OK. They must be sandboxed. The overzealous CVE assignments are simply wasting everyone's time and distracting everyone from actual security issues. Sid