On Wed, Apr 23, 2008 at 09:06:56AM -0400, Chad Dougherty wrote: > David Miller wrote: > >CERT is asking these vendors for "approval" for the text they will add > >mentioning anything about their product. That's the bit I'm talking > >about. > > > >They are getting protection and consideration that was not really > >afforded to GCC. > > > >CERT treated GCC differently. > > This is not true. The "Statement" section of the vendor status is for > official, usually verbatim, statements from the vendor. The "Addendum" > section is reserved for our own comments, even those that may contradict > the vendor's response if we have reason to do so.
I disagree; it is true. You did not ask for approval before adding GCC to "vulnerable". We have demonstrated to you by independent testing that other compilers are also vulnerable, and have provided the steps that you can use to confirm this. But you are dragging your feet on including other compilers on your "Vulnerable" list. Meanwhile, you still have an unfairly slanted advisory. If CERT is to maintain its reputation, it needs to do better. The warning is misdirected in any case; given the very large number of compilers that these coding practices cause trouble for, you need to focus on the bad coding practices, not on unfair demonization of new GCC releases.
