[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

Walter van Holst walter.van.holst at xs4all.nl
Mon Apr 28 01:47:49 EDT 2014 

On 2014-04-28 04:17, John Gilmore wrote:
>> I do practice law and the GNU GPL disclaimer is unlikely to hold water
>> in any civil law jurisdiction in case of a clear security issue 
>> brought
>> to the developer's attention.
> 
> You might well be correct about the law.  But you are not describing
> the fact situation that this thread is about.
> 
> Telling the GCC developers that "that guy over there wrote code whose
> security checks get skipped because the language standard that GCC
> implements doesn't define the behavior of the way that guy wrote those
> checks" is not "a clear security issue brought to the [gcc]
> developer's attention".


I never stated that it was for the simple reason that it still is 
unclear to me whether GCC bug #30475 is such a beast. I was triggered by 
the blanket statement that the GPL's exoneration clause would make any 
discussion on liability moot. Which it doesn't in several important 
jurisdictions. Please note that at no point I said that it was a clear 
security issue. I simply am not knowledgeable enough for saying such a 
thing (or the opposite), despite having coded in assembler in some 
previous life.

> 
> Under this theory, the committee of 50+ people who contributed wording
> to the C Language Standard(s) are also liable for damage caused by
> every security bug that resulted from people depending on behavior
> that the standard did not define.  In this theory of liability, theirs
> would be an error of omission (they did not define the behavior of
> integer arithmetic in C with big numbers, therefore they are liable
> because some idiot ten years later wrote security sensitive code that
> used big numbers?).

No, although a case can be made that if the C language standard leaves 
so much undefined behaviour that gives rise to so many security issues 
despite decades of experience with it, it might be software engineering 
malpractice to write anything critical in C. The opposite case can be 
made that there are industry best practices that allow for security 
critical code written in C (see the OpenBSD project), but then the lack 
of adhering to such industry practices could be an indicator, etc.


> Basically, nobody's forcing you to use this software (or this
> implementation language).  You got it for free, probably without
> having *any* direct interaction with the developers.

That would not shield you from liability (in most civil law 
jurisdictions, mind you) if there is a security issue that is introduced 
willfully or through willfull neglect. Even the fact that you can always 
audit free software may not shield you from such a case. So yes, if 
there is a *real* security issue, not fixing it or not at the very least 
publishing the issue may make you liable. Liability is not necessarily 
about an error, but about your lack of enabling others to mitigate any 
damages that arise from your error.

>  In effect, you
> copied it from a library, like xeroxing a public domain book, or
> building a personal copy of a gadget by getting the drawings from the
> patent office.  If you don't like it, don't use it.  Oh, hypothetical
> lawsuit filer, you're claiming that *someone else* somewhere on the
> Internet used it and you were injured thereby?  And you don't even
> have a contract with that someone else (e.g. Google, Facebook), nor
> any economic relationship with them?  Your claim is even more tenuous.


Actually, the commonly held analysis of the GPL is that it *is* a 
contract in civil law jurisdictions. No matter what the FSF may be 
saying, it just is.


> PS:  Lawyer a not am I.  And if I was, I would be charging you for
> this advice (while disclaiming any damages you might incur by listening
> to it or following it :-).

Which is a very Anglo-American perspective. While I love the well-argued 
court opinions (and the dissenting opinions) it produces, it doesn't 
allow for much common sense. Again, in civil law jurisdictions it 
doesn't work that way. You're most likely to be laughed out of court if 
you were to sue for malpractice if you heeded the legal advice of some 
random person on some random mailing list.

Regards,

  Walter

More information about the cryptography mailing list