From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=2L9D=AI=google.com=iant@sourceware.org>
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631])
	by sourceware.org (Postfix) with ESMTPS id 9A5D83857BB2
	for <gdb@sourceware.org>; Mon, 17 Apr 2023 19:55:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 9A5D83857BB2
Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=google.com
Received: by mail-ej1-x631.google.com with SMTP id sz19so10249549ejc.2
        for <gdb@sourceware.org>; Mon, 17 Apr 2023 12:55:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1681761329; x=1684353329;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=yt6f+mAxZ8ar42kT7wWyi3ySz009XO1LLzv0FCdEVgE=;
        b=Pa5/0MiDrwAnULAhb4ZwPgxjRCH3YQd9mCq1oLZZ6440X6NNVKDbAGb2g43aNFp7fL
         2nEkKgxh7j5OO3uu5QDtajymF688zmanT2auwVOENARHtjrZHl2MEYXOSuzvOw/pik1y
         V1d4CsrriQ+a8X8RTq0I+36gLxxorahx9L2mtwo/JNKOTK8cTfiwCENrNhyEpMjIS7UB
         tRrF9FQdrdrl0+xFc7hi8YzsAL5y8mOuG+J3ePjZgNBQ3QfV1Ado76K3y0IF+bz9R3d0
         fiZU69x7Od9YmpYZVtmDJHLjTQBJ3tFimLthEdBTQb93BSH8Py5Sypw1BDptmm9+RQhW
         eimA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1681761329; x=1684353329;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=yt6f+mAxZ8ar42kT7wWyi3ySz009XO1LLzv0FCdEVgE=;
        b=NZ6oj924ehvrXW1QvH2LxevNoGdlZBlMYr3mOW7thLFpXJ7QDqpfdd2T6VxUK101XA
         GV4qdMlbPw1pEZ58Sg1VlM5QbPkyzIYIAxOqoL17KYNUcdZMVj5E0C18X/vrskMe2yyv
         gNU6JuAo1+/eKGkqXHVNJp7ljqTq8g3fhpyTKKhNhmEHftQVkOFPraUeWWHxf7nOPTob
         tw2sFNl4nnFAh8jvdwI0dTdQMM+mv1BmX0GTxOXBuEYVQTjw2njHaJ4eSyX3SPQmMKk2
         cm3cu4X/wVpiux1nyJ7YKW5W98Hxzk3Ntm90b7ne7T1Bewoit4G+v1TgGN4WZ684VwyJ
         S48A==
X-Gm-Message-State: AAQBX9cFo9Y/6mD5duC4TObP/vdT85DirDUkrX8CuOaAcbsd+fuFFenT
	mSmo7mCxEK0O/vr7NGBkaqiiWQwXknsi+XibZM8vNg==
X-Google-Smtp-Source: AKy350bjeixzPfqGlN8thjviD495nDn+LlpfY+f1YDw8nXSstnmpRk/Fawkigpjc73QBcWtcA7xfPX1rk98EYP8GttU=
X-Received: by 2002:a17:907:1626:b0:94f:1d42:7902 with SMTP id
 hb38-20020a170907162600b0094f1d427902mr3896753ejc.8.1681761329077; Mon, 17
 Apr 2023 12:55:29 -0700 (PDT)
MIME-Version: 1.0
References: <1c38b926-e003-0e21-e7f1-3d5dbec2aabf@redhat.com>
 <4ed86e65-0b7f-11d4-8061-2c5d0b1e147e@foss.arm.com> <7b6b10f8-e480-8efa-fbb8-4fc4bf2cf356@gotplt.org>
 <eaa76d6a-84eb-fa79-5a1a-4953e02ccabc@foss.arm.com> <c9cc65ae-88a4-20ed-ebbe-e05ad99dc8be@gotplt.org>
 <0224757b-6b17-f82d-c0bf-c36042489f5e@foss.arm.com> <01e846c0-c6bf-defe-0563-1ed6309b7038@gotplt.org>
 <2d4c7f13-8a35-3ce5-1f90-ce849a690e66@foss.arm.com> <01b8e177-abfd-549e-768f-1995cab5c81d@gotplt.org>
 <fae638f2-333c-1e62-5df4-154c590a862e@foss.arm.com> <d17d09fd-a3be-1e97-2b26-01e8861c6c32@gotplt.org>
 <E76CA0FA-92DC-4AD0-99D1-5A38D3FE749C@comcast.net> <a372dad1-5c51-df93-de11-5becf6c09e02@gotplt.org>
 <E8772797-9BC6-412D-B03B-51151B90D706@comcast.net> <96e2ec59-11c6-329e-18c4-bf284eb752ac@gotplt.org>
 <CAKOQZ8w2BY7imHqH9fD=6CgOMw5qgLAwRQ0Ea7hzasUrPRqK3g@mail.gmail.com>
 <20dbbe16-c7e5-412e-0506-2118dfef5fc2@gotplt.org> <CAKOQZ8x4KOfVhdGrf+mgkRJ9QkDn36jUJcWWXU=NG1E3g6BDyg@mail.gmail.com>
 <alpine.LSU.2.20.2304171505370.3155@wotan.suse.de>
In-Reply-To: <alpine.LSU.2.20.2304171505370.3155@wotan.suse.de>
From: Ian Lance Taylor <iant@google.com>
Date: Mon, 17 Apr 2023 12:55:16 -0700
Message-ID: <CAKOQZ8wge9m5UaQSQbCQvtaR+c0xOjcZsVvQpTFPJf71mbLYFw@mail.gmail.com>
Subject: Re: RFC: Adding a SECURITY.md document to the Binutils
To: Michael Matz <matz@suse.de>
Cc: Binutils <binutils@sourceware.org>, Siddhesh Poyarekar <siddhesh@gotplt.org>, 
	Paul Koning <paulkoning@comcast.net>, Richard Earnshaw <Richard.Earnshaw@foss.arm.com>, 
	Nick Clifton <nickc@redhat.com>, "gdb@sourceware.org" <gdb@sourceware.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-14.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,ENV_AND_HDR_SPF_MATCH,MEDICAL_SUBJECT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gdb.sourceware.org>

On Mon, Apr 17, 2023 at 8:31=E2=80=AFAM Michael Matz <matz@suse.de> wrote:
>
> On Fri, 14 Apr 2023, Ian Lance Taylor via Binutils wrote:
>
> > And, honestly, these are not standards that are unusually difficult to
> > meet.  Don't dump core, don't use up all of memory, don't have buffer
> > overflows.  Treat failures of this sort as security bugs to be fixed
> > ASAP in minor releases.  These are achievable goals.
>
> These are all noble goals to reach for.  But the fact is that all the cra=
p
> CVE entries from script-kiddies with their fuzzers are mainly fixed by
> Alan with his seemingly endless patience.  Downstream they are the cause
> of endless worries (as customers blindly _demand_ that all CVEs be fixed
> by checking tickmarks on an endless list of entries they've downloaded
> last week from mitre; just by virtue of the entry having a CVE number and
> hence "be a serious security problem").  All of these are bugs to be fixe=
d
> eventually.  Literally _none_ of them are in any way a serious bug
> demanding an immediate fix.  Next release is completely fine for that.

That is definitely a fair point.  My argument here may be too strong.
I certainly agree that a CVE is not appropriate for a program crash.

Ian