Daniel Jacobowitz wrote on :
> On Fri, Apr 25, 2008 at 11:45:25AM -0400, Paul Koning wrote:
>> Robert> To me, the whole notion of this vulnerability node is flawed
>> Robert> in that respect. You can write a lengthy and useful book on
>> Robert> pitfalls in C that must be avoided, but I see no reason to
>> Robert> turn such a book into a cert advisory, let alone pick out a
>> Robert> single arbitrary example on a particular compiler!
>>
>> I think that comment is absolutely correct.
>
> The R in CERT is "Response" (at least it used to be; I can't find an
> expansion on their web site...). They're responding to a problem that
> was reported to them, and alerting others to the problem. We can
> argue about the details, but not about the need to respond.
But the E is "Emergency". This is not an emergency and does not demand an
*urgent* (and hence rushed and methodologically flawed) response; this is just
one more facet of the problems inherent in the design of the C language that
have been going on since /forever/.
cheers,
DaveK
--
Can't think of a witty .sigline today....
