On Thu, Nov 16, 2017 at 6:53 AM, Guido van Rossum <gu...@python.org> wrote:

> On Wed, Nov 15, 2017 at 6:50 PM, Guido van Rossum <gu...@python.org>
> wrote:
>>
>>
>> Actually it linked to http://standards.iso.org/ittf/
>> PubliclyAvailableStandards/index.html from which I managed to download
>> what looks like the complete c061457_ISO_IEC_TR_24772_2013.pdf (336
>> pages) after clicking on an "I accept" button (I didn't read what I
>> accepted :-). The $200 is for the printed copy I presume.
>>
>
> So far I learned one thing from the report. They use the term
> "vulnerabilities" liberally, defining it essentially as "bug":
>
> All programming languages contain constructs that are incompletely
>> specified, exhibit undefined behaviour, are implementation-dependent, or
>> are difficult to use correctly. The use of those constructs may therefore
>> give rise to *vulnerabilities*, as a result of which, software programs
>> can execute differently than intended by the writer.
>>
>
> They then go on to explain that sometimes vulnerabilities can be
> exploited, but I object to calling all bugs vulnerabilities -- that's just
> using a scary word to get attention for a sleep-inducing document
> containing such gems as "Use floating-point arithmetic only when absolutely
> needed" (page 230).
>
>
​I don't like such a definition of "vulnerability" either. Some bugs can be
vulnerabilities (those that can be exploited) and some vulnerabilities can
be bugs. But there are definitely types of vulnerabilities that are not
bugs––the DoS vulnerability that is eliminated by hash randomization is one.

There may also be a gray area of bugs that can be vulnerabilities but only
in some special situation. I think it's ok to call those vulnerabilities
too.

​––Koos​


​PS. How come I haven't seen a proposal to remove the float type from
builtins yet?-)​


-- 
+ Koos Zevenhoven + http://twitter.com/k7hoven +
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to