From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=qS3H=H5=gotplt.org=siddhesh@sourceware.org>
Received: from dog.birch.relay.mailchannels.net (dog.birch.relay.mailchannels.net [23.83.209.48])
	by sourceware.org (Postfix) with ESMTPS id D3B5F385828F
	for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 14:35:20 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D3B5F385828F
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D3B5F385828F
Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.209.48
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1702910132; cv=pass;
	b=WggaCKh0Uaa8rsYF1flGMthYCyXUq7mSy4+yUDDzhto/y3m0tUxbb2Ese0lOrRTb9sPjPhUA+5LFPxLJYd3fBhiMGlsV1Nh7CIrLBsq82EcPtCY5wSOIca1QZUCU6jQM8Z+aw/sJiP3MkOEcdfi+fNMo+QI9rHZFNu53PiDhFeU=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1702910132; c=relaxed/simple;
	bh=imcAWlBBmDFY58OgAQmIX0Cy00eV1xVf5pdm3YSCmTg=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:From:Subject:To; b=llzB8nseHhpDoOwukDm+a2RoUtFrqCTizbiMPeD9vR/bPevGVWG4uH2RtmAE6bzpqGalqs+l0fYZ5h5oSWRpe6Ra94Tea0aoZUbbROgX7exC6IUzBaje4xE1bhy8Xep/FLjRcJNS1j9QQVW7Xx+6jQHwy3SMs9JDV8YqWMK3RZA=
ARC-Authentication-Results: i=2; server2.sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id 4F246903A40
	for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 14:35:18 +0000 (UTC)
Received: from pdx1-sub0-mail-a266.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id D6507903966
	for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 14:35:17 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1702910117; a=rsa-sha256;
	cv=none;
	b=rYJmh0XCwtr891ehc7ppK+SnZSsZtImHIT7RNV3y8CwLeyzQaNsnKA+HjO6X05KMJcRoKw
	R/+R53GPYZDOBD2Mn/MEyn0lcOKmmkSe9d254sd5J0PxgUeQxnzUS/1S0PUTTEQH7LeyGF
	YQH+F7f8cy+827LnE2ZNoD8Abc3qYKJ3vkqLgxkA4Xg2ttNw0magQMMX9iWW/Dk9GFglVA
	tbEkWsMSdUh0S+n0Uz92vUV1HDjcevFRTkGAtX4Sah/aMS9+O5RVG9MdkbyVwTY6TouQYF
	TIHtKId4hzgWi/Hx3YZM3P0OFmxT9RnhU19VGTLPZ/MdPCnT6/ydqAU6Ri5ZKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1702910117;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:dkim-signature;
	bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=;
	b=rkzcDBtbg/uoPEoiigEg4qwXWc2EtnIeCALsj4xT2QIWcefe+K1Jne9l1pDg6V7OaT0u0M
	owS1wYbEOEFq0o8B0bFVuLXkwvXQwSd9aLVIFuxPiXC8AzGXIMWclKHj6E4GMswk8FjBWK
	wV0akTy5pJh3ctt6NMBeCpzOil2l0CociesemGqwVEWC93bYMFfQTG2dTAFavjyDDOR6LI
	MwitApPpmrXKN+ZheiIRSCJWeMjmCdRf8QBlwT9xCfvYvIDEIn65dfCTUruNBh3a7wo9L5
	B+/DM0Ds6E8NKjcXxTYGc5qbywKY9IpCATrFUs+Z2fFq0b5m75cD1M0mzbfH+Q==
ARC-Authentication-Results: i=1;
	rspamd-659dcc87c8-q2gpp;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Soft-Relation: 163981aa466ab2d3_1702910118136_733348350
X-MC-Loop-Signature: 1702910118136:646784462
X-MC-Ingress-Time: 1702910118136
Received: from pdx1-sub0-mail-a266.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.96.174.32 (trex/6.9.2);
	Mon, 18 Dec 2023 14:35:18 +0000
Received: from [192.168.0.182] (unknown [142.113.138.136])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a266.dreamhost.com (Postfix) with ESMTPSA id 4Sv2RT47xWz84
	for <gcc-patches@gcc.gnu.org>; Mon, 18 Dec 2023 06:35:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org;
	s=dreamhost; t=1702910117;
	bh=dDN3z092yfvmpTyk66yjXQIUBCPeECubfp/Uxel8dhc=;
	h=Date:From:Subject:To:Content-Type:Content-Transfer-Encoding;
	b=l8W8SlS8FAxVKSONLMDJivzLnqWUlAK4D0PX/+V6pyYMlGnR7IaNWzW/F5j985206
	 DP7i2WFqyBMtSVg8ladlQ+OzHXHWaKRkuawcphtToPwVpJr+FNbDxMyqdbzsS0t25I
	 lgOIEE0bK3KBEggPm5GKE3EWdLb1ntp4/iT37+S1z/VN2zdqscMwuZ2S3zwKxkIW4s
	 pHOPsxGrsHvSwG1vLZSnDH0xeGL4aEk0ODuoPmv3yHILdMuFpUgEyI4kSP/jwi+kve
	 2G2nu4vWBAuynhemy+8un7ZgK79S2eYKTF+BZBLc8PyIJM7/RNrwQf8QSdy3pFfTCv
	 hru47k/kSZXBQ==
Message-ID: <610f86be-79bb-451f-a9c1-6fcbdc78a2c9@gotplt.org>
Date: Mon, 18 Dec 2023 09:35:06 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Siddhesh Poyarekar <siddhesh@gotplt.org>
Subject: [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening
 issues
To: gcc Patches <gcc-patches@gcc.gnu.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3036.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

The "exploitable vulnerability" may lead to a misunderstanding that 
missed hardening issues are considered vulnerabilities, just that 
they're not exploitable.  This is not true, since while hardening bugs 
may be security-relevant, the absence of hardening does not make a 
program any more vulnerable to exploits than without.

Drop the "exploitable" word to make it clear that missed hardening is 
not considered a vulnerability.

diff --git a/SECURITY.txt b/SECURITY.txt
index b3e2bbfda90..126603d4c22 100644
--- a/SECURITY.txt
+++ b/SECURITY.txt
@@ -155,10 +155,10 @@ Security features implemented in GCC
      GCC implements a number of security features that reduce the impact
      of security issues in applications, such as -fstack-protector,
      -fstack-clash-protection, _FORTIFY_SOURCE and so on.  A failure of
-    these features to function perfectly in all situations is not an
-    exploitable vulnerability in itself since it does not affect the
-    correctness of programs.  Further, they're dependent on heuristics
-    and may not always have full coverage for protection.
+    these features to function perfectly in all situations is not a
+    vulnerability in itself since it does not affect the correctness of
+    programs.  Further, they're dependent on heuristics and may not
+    always have full coverage for protection.

      Similarly, GCC may transform code in a way that the correctness of
      the expressed algorithm is preserved, but supplementary properties