[Cryptography] GCC bug 30475 (was Re: bounded pointers in C)

[John Gilmore]

> I do practice law and the GNU GPL disclaimer is unlikely to hold water
> in any civil law jurisdiction in case of a clear security issue brought
> to the developer's attention.

You might well be correct about the law.  But you are not describing
the fact situation that this thread is about.

Telling the GCC developers that "that guy over there wrote code whose
security checks get skipped because the language standard that GCC
implements doesn't define the behavior of the way that guy wrote those
checks" is not "a clear security issue brought to the [gcc]
developer's attention".

Under this theory, the committee of 50+ people who contributed wording
to the C Language Standard(s) are also liable for damage caused by
every security bug that resulted from people depending on behavior
that the standard did not define.  In this theory of liability, theirs
would be an error of omission (they did not define the behavior of
integer arithmetic in C with big numbers, therefore they are liable
because some idiot ten years later wrote security sensitive code that
used big numbers?).

Basically, nobody's forcing you to use this software (or this
implementation language).  You got it for free, probably without
having *any* direct interaction with the developers.  In effect, you
copied it from a library, like xeroxing a public domain book, or
building a personal copy of a gadget by getting the drawings from the
patent office.  If you don't like it, don't use it.  Oh, hypothetical
lawsuit filer, you're claiming that *someone else* somewhere on the
Internet used it and you were injured thereby?  And you don't even
have a contract with that someone else (e.g. Google, Facebook), nor
any economic relationship with them?  Your claim is even more tenuous.

	John

PS:  Lawyer a not am I.  And if I was, I would be charging you for
this advice (while disclaiming any damages you might incur by listening
to it or following it :-).