[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)
Walter van Holst
walter.van.holst at xs4all.nl
Mon Apr 28 01:47:49 EDT 2014
On 2014-04-28 04:17, John Gilmore wrote:
>> I do practice law and the GNU GPL disclaimer is unlikely to hold water
>> in any civil law jurisdiction in case of a clear security issue
>> brought
>> to the developer's attention.
>
> You might well be correct about the law. But you are not describing
> the fact situation that this thread is about.
>
> Telling the GCC developers that "that guy over there wrote code whose
> security checks get skipped because the language standard that GCC
> implements doesn't define the behavior of the way that guy wrote those
> checks" is not "a clear security issue brought to the [gcc]
> developer's attention".
I never stated that it was for the simple reason that it still is
unclear to me whether GCC bug #30475 is such a beast. I was triggered by
the blanket statement that the GPL's exoneration clause would make any
discussion on liability moot. Which it doesn't in several important
jurisdictions. Please note that at no point I said that it was a clear
security issue. I simply am not knowledgeable enough for saying such a
thing (or the opposite), despite having coded in assembler in some
previous life.
>
> Under this theory, the committee of 50+ people who contributed wording
> to the C Language Standard(s) are also liable for damage caused by
> every security bug that resulted from people depending on behavior
> that the standard did not define. In this theory of liability, theirs
> would be an error of omission (they did not define the behavior of
> integer arithmetic in C with big numbers, therefore they are liable
> because some idiot ten years later wrote security sensitive code that
> used big numbers?).
No, although a case can be made that if the C language standard leaves
so much undefined behaviour that gives rise to so many security issues
despite decades of experience with it, it might be software engineering
malpractice to write anything critical in C. The opposite case can be
made that there are industry best practices that allow for security
critical code written in C (see the OpenBSD project), but then the lack
of adhering to such industry practices could be an indicator, etc.
> Basically, nobody's forcing you to use this software (or this
> implementation language). You got it for free, probably without
> having *any* direct interaction with the developers.
That would not shield you from liability (in most civil law
jurisdictions, mind you) if there is a security issue that is introduced
willfully or through willfull neglect. Even the fact that you can always
audit free software may not shield you from such a case. So yes, if
there is a *real* security issue, not fixing it or not at the very least
publishing the issue may make you liable. Liability is not necessarily
about an error, but about your lack of enabling others to mitigate any
damages that arise from your error.
> In effect, you
> copied it from a library, like xeroxing a public domain book, or
> building a personal copy of a gadget by getting the drawings from the
> patent office. If you don't like it, don't use it. Oh, hypothetical
> lawsuit filer, you're claiming that *someone else* somewhere on the
> Internet used it and you were injured thereby? And you don't even
> have a contract with that someone else (e.g. Google, Facebook), nor
> any economic relationship with them? Your claim is even more tenuous.
Actually, the commonly held analysis of the GPL is that it *is* a
contract in civil law jurisdictions. No matter what the FSF may be
saying, it just is.
> PS: Lawyer a not am I. And if I was, I would be charging you for
> this advice (while disclaiming any damages you might incur by listening
> to it or following it :-).
Which is a very Anglo-American perspective. While I love the well-argued
court opinions (and the dissenting opinions) it produces, it doesn't
allow for much common sense. Again, in civil law jurisdictions it
doesn't work that way. You're most likely to be laughed out of court if
you were to sue for malpractice if you heeded the legal advice of some
random person on some random mailing list.
Regards,
Walter
More information about the cryptography
mailing list