|| ||Joe Buck <Joe.Buck-AT-synopsys.COM>|
|| ||Florian Weimer <fw-AT-deneb.enyo.de>|
|| ||Re: US-CERT Vulnerability Note VU#162289|
|| ||Mon, 14 Apr 2008 10:13:53 -0700|
|| ||"Robert C. Seacord" <rcs-AT-cert.org>, Gerald.Williams-AT-infineon.com, gcc-AT-gcc.gnu.org, crd-AT-cert.org|
Robert C. Seacord wrote:
> > i agree that the optimization is allowed by C99. i think this is a
> > quality of implementation issue, and that it would be preferable for
> > gcc to emphasize security over performance, as might be expected.
On Sun, Apr 13, 2008 at 11:51:00PM +0200, Florian Weimer wrote:
> I don't think this is reasonable. If you use GCC and its C frontend,
> you want performance, not security.
Furthermore, there are a number of competitors to GCC. These competitors
do not advertise better security than GCC. Instead they claim better
performance (though such claims should be taken with a grain of salt).
To achieve high performance, it is necessary to take advantage of all of
the opportunities for optimization that the C language standard permits.
For CERT to simulataneously argue that GCC should be crippled (to
emphasize security over performance) but that nothing negative should
be said about competing compilers is the height of irresponsibility.
Any suggestion that users should avoid new versions of GCC will drive
users to competing compilers that optimize at least as aggressively.
to post comments)