User: Password:
|
|
Subscribe / Log in / New account

Re: US-CERT Vulnerability Note VU#162289

From:  Joe Buck <Joe.Buck-AT-synopsys.COM>
To:  Florian Weimer <fw-AT-deneb.enyo.de>
Subject:  Re: US-CERT Vulnerability Note VU#162289
Date:  Mon, 14 Apr 2008 10:13:53 -0700
Message-ID:  <20080414171352.GA344@synopsys.com>
Cc:  "Robert C. Seacord" <rcs-AT-cert.org>, Gerald.Williams-AT-infineon.com, gcc-AT-gcc.gnu.org, crd-AT-cert.org
Archive-link:  Article


Robert C. Seacord wrote:
> > i agree that the optimization is allowed by C99.  i think this is a
> > quality of implementation issue,  and that it would be preferable for
> > gcc to emphasize security over performance, as might be expected.

On Sun, Apr 13, 2008 at 11:51:00PM +0200, Florian Weimer wrote:
> I don't think this is reasonable.  If you use GCC and its C frontend,
> you want performance, not security.

Furthermore, there are a number of competitors to GCC.  These competitors
do not advertise better security than GCC.  Instead they claim better
performance (though such claims should be taken with a grain of salt).
To achieve high performance, it is necessary to take advantage of all of
the opportunities for optimization that the C language standard permits.

For CERT to simulataneously argue that GCC should be crippled (to
emphasize security over performance) but that nothing negative should
be said about competing compilers is the height of irresponsibility.
Any suggestion that users should avoid new versions of GCC will drive
users to competing compilers that optimize at least as aggressively.




(Log in to post comments)


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds