Daniel Jacobowitz wrote on : > On Fri, Apr 25, 2008 at 11:45:25AM -0400, Paul Koning wrote: >> Robert> To me, the whole notion of this vulnerability node is flawed >> Robert> in that respect. You can write a lengthy and useful book on >> Robert> pitfalls in C that must be avoided, but I see no reason to >> Robert> turn such a book into a cert advisory, let alone pick out a >> Robert> single arbitrary example on a particular compiler! >> >> I think that comment is absolutely correct. > > The R in CERT is "Response" (at least it used to be; I can't find an > expansion on their web site...). They're responding to a problem that > was reported to them, and alerting others to the problem. We can > argue about the details, but not about the need to respond.
But the E is "Emergency". This is not an emergency and does not demand an *urgent* (and hence rushed and methodologically flawed) response; this is just one more facet of the problems inherent in the design of the C language that have been going on since /forever/. cheers, DaveK -- Can't think of a witty .sigline today....