Daniel Jacobowitz wrote:
The R in CERT is "Response" (at least it used to be; I can't find an
expansion on their web site...). They're responding to a problem that
was reported to them, and alerting others to the problem. We can
argue about the details, but not about the need to respond.
I agree.
I am not happy about some of the ways in which CERT has singled out GCC
in this situation. That said, warning people that applications that use
a particular style of security check are broken is a perfectly
reasonable thing to do, especially given that the broken security check
is known to be present in real-world applications. In fact, warning
people that such code worked with GCC X, but not GCC X+1, is useful;
some people may not be able to audit the code, but may be able to
control whether or not they upgrade to a new compiler, and this is
useful data for those people. But, it should be made clear that
switching from GCC to icc (or whatever) is not a solution, since many of
those compilers also do the optimization. (Never mind the risks that
making a major change to your build environment entails...)
--
Mark Mitchell
CodeSourcery
[EMAIL PROTECTED]
(650) 331-3385 x713