From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bumble.birch.relay.mailchannels.net (bumble.birch.relay.mailchannels.net [23.83.209.25]) by sourceware.org (Postfix) with ESMTPS id A441C3858284 for ; Tue, 9 Jan 2024 15:12:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A441C3858284 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A441C3858284 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.209.25 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1704813167; cv=pass; b=BrsmmvMCptJW+Bt3n4YuIGKYn9A9HCrl90xGqwUjRTYVyBR4tDwj75sx0Y7CSfE+lbQ8gzqNaHjVyR71CFqannyn0fE7Bi5/HpCxxoCweLbrEkxR6uvxb3vw0gN4titSDx2Q609SNvcSXvnO8uV6CZUrc9Kz8oYoTqlr86kc+Ec= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1704813167; c=relaxed/simple; bh=rOsV2TxgdJ0md7Ij+1k5pfjbexTv5grZltgch35KLh4=; h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:From:To; b=s3bXJ3utDrIa2ZfwTOdpQc67Fr5XgDrofBApzPcPcnxrHwmTj1oEEKqh1XLPvfEBDahcedckVD/itqs/ZzUvFWcsbO15Mor6qf5GcebCP3apJW1gaDGUh1PD3Er/+mwc8cTRHgXH4tgAF+7I7Um7C3saF4H8CmCdpevJc7kbZIU= ARC-Authentication-Results: i=2; server2.sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 5CD2F3620DA for ; Tue, 9 Jan 2024 15:12:40 +0000 (UTC) Received: from pdx1-sub0-mail-a219.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id F21883621EA for ; Tue, 9 Jan 2024 15:12:39 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1704813160; a=rsa-sha256; cv=none; b=dAUIyBa1JaB4svEa3S/9iPJEHBBHvQmheeYF6Tp2PlmGhf3xI1JZd2cadMYVB9dBZiUJJv 87EOTwORE5Gev72zTSq7ZKBKLtdB1oJf8pwclxIfuVh7hh47lxfrhbD1FVHz2AI+wkWLJI EVuh6Bd6BDZvUjpsGeUfoupWgxRshlavTR+++vnUDypwEd4eqtVbs+waywxaKy6pWLhJ0B e3/5Nfj6CEqJViEkB3mCpKySgF2TC5rYRWAFz+oVGQB3hUfguSWDRnuWYhgtL+Y43Rzabw fULFvofttGG5DGYQDcNrTx3exMwy6VkitBOMuUxkY5t7lvTksaP6KRmYeBhtBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1704813160; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=EgC0+asLZ8Ff9//GAEb/bLn10dfaiOlXP5EUX9l/T6Y=; b=XnpilmiDZApg/0FGzEAWUH2Ywo5f+PU4rM33KwzoDCpqHX344T5tRwseDsWIuxEZeFmuHm iCdPyNOFCPDAZfFvImbwuCMI191znGmI8FKCBe/ZunCKTdnFjpB9+0I51jPzKkH6EAZvrE mtj7lakDsMUugcDDScToBHEtsoQYQ1pYFJ6U7ebYCNictrbXYcVnlLjeBK6f5UUd1d7Z9r N3vtBqoG5GFJIUaGINrvMU+JEovcbOjBMNkA7hjk9Fz0AaZ0TTNLuEMruIIVMnKv3BV8hs NQifC8msxlais9JPw3ZSx3IPrCnojE86fqA+rX8U6M/jveS+vRe8keKz6Pjs8Q== ARC-Authentication-Results: i=1; rspamd-69494b7fd5-v7zzw; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Power-Fumbling: 497b1ffd27afd9b9_1704813160206_3460999890 X-MC-Loop-Signature: 1704813160206:3412173718 X-MC-Ingress-Time: 1704813160206 Received: from pdx1-sub0-mail-a219.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.122.192.135 (trex/6.9.2); Tue, 09 Jan 2024 15:12:40 +0000 Received: from [192.168.0.182] (bras-base-toroon4834w-grc-23-76-68-24-30.dsl.bell.ca [76.68.24.30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a219.dreamhost.com (Postfix) with ESMTPSA id 4T8ZDR4z6YzFK for ; Tue, 9 Jan 2024 07:12:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1704813159; bh=EgC0+asLZ8Ff9//GAEb/bLn10dfaiOlXP5EUX9l/T6Y=; h=Date:Subject:From:To:Content-Type:Content-Transfer-Encoding; b=aUbvGE3a2Bh5kf+JwegvFv13M5WsSXs6KZzyy6dmo5AeUXAfFf7j3zTYgSPOGstm3 so8OVb1Koed5QenzliuXaO/Ydn3xVlhRksCjWrAFUPV66osPpZaMt3M07XjHl0JdY3 ht5NaFwrYseKVAc2mBnm0QO4VbWivxnf/wcOks+3wl4v4IHOUAcE/goTjUGjBrwEL8 A35Ahm/3uT4hrCO4+9kUhGzLoyQbU6NtMEsJTqBwD2C9L+nHgtwdU5ch1oGUUlhBDZ qTvwuP+LRD04JjfGkHGWDi/sJrMHjxgdmyeEvxDbsVMYJKdLbfRHah8hUtWiu7ve6+ DOaygmN8jjW6w== Message-ID: Date: Tue, 9 Jan 2024 10:12:38 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] SECURITY.txt: Drop "exploitable" in reference to hardening issues Content-Language: en-US From: Siddhesh Poyarekar To: gcc Patches References: <610f86be-79bb-451f-a9c1-6fcbdc78a2c9@gotplt.org> In-Reply-To: <610f86be-79bb-451f-a9c1-6fcbdc78a2c9@gotplt.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3035.3 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-12-18 09:35, Siddhesh Poyarekar wrote: > The "exploitable vulnerability" may lead to a misunderstanding that > missed hardening issues are considered vulnerabilities, just that > they're not exploitable.  This is not true, since while hardening bugs > may be security-relevant, the absence of hardening does not make a > program any more vulnerable to exploits than without. > > Drop the "exploitable" word to make it clear that missed hardening is > not considered a vulnerability. Ping, may I commit this if there are no objections? Thanks, Sid > > diff --git a/SECURITY.txt b/SECURITY.txt > index b3e2bbfda90..126603d4c22 100644 > --- a/SECURITY.txt > +++ b/SECURITY.txt > @@ -155,10 +155,10 @@ Security features implemented in GCC >      GCC implements a number of security features that reduce the impact >      of security issues in applications, such as -fstack-protector, >      -fstack-clash-protection, _FORTIFY_SOURCE and so on.  A failure of > -    these features to function perfectly in all situations is not an > -    exploitable vulnerability in itself since it does not affect the > -    correctness of programs.  Further, they're dependent on heuristics > -    and may not always have full coverage for protection. > +    these features to function perfectly in all situations is not a > +    vulnerability in itself since it does not affect the correctness of > +    programs.  Further, they're dependent on heuristics and may not > +    always have full coverage for protection. > >      Similarly, GCC may transform code in a way that the correctness of >      the expressed algorithm is preserved, but supplementary properties >