On Mon, Apr 7, 2008 at 2:15 PM, Robert C. Seacord <[EMAIL PROTECTED]> wrote: > Mark, >
> > > ok, i'll review again for tone. generally we don't try to make these notes > overly broad; they are only meant to draw attention to a specific issue. Speaking as a completely random observer who has had to respond to the issues raised by this vulnerability: This vulnerability report seems sensationalistic. If I read this vulnerability, it would imply to me (and in fact, others who have read it and emailed me about it have gotten exactly this impression) that I could simply move my code to another compiler and not experience this behavior. That this is somehow specific to GCC. After all, it just talks about GCC. Of course, as many have pointed out, there aren't really any compilers that *don't* perform this behavior, so I would be mistaken. This kind of singling out of one compiler, what the entire industry does in this situation (for better or for worse), gives people the mistaken impression they can avoid the problem by switching products. I've already been asked twice in my job about this report by security related people, only to have to point out what you guys apparently do not: That everyone does this, and moving to another compiler would not help. You either should be issuing reports for all these other compilers, withdraw this one, or clarify it to note that every interesting production compiler also performs this optimization. To be honest, this report brought my view of CERT way down. I hope you guys take the time to correct it.