On 2023-08-11 11:12, David Edelsohn wrote:
The text above states "bugs in these libraries may be evaluated for
security impact", but there is no comment about the criteria for a
security impact, unlike the GLIBC SECURITY.md document. The text seems
to imply the "What is a security bug?" definitions from GLIBC, but the
definitions are not explicitly stated in the GCC Security policy.
Should this "Language runtime libraries" section include some of the
GLIBC "What is a security bug?" text or should the GCC "What is a
security bug?" section earlier in this document include the text with a
qualification that issues like buffer overflow, memory leaks,
information disclosure, etc. specifically apply to "Language runtime
libraries" and not all components of GCC?
Yes, that makes sense. This part will likely evolve though, much like
the glibc one did, based on reports we get over time. I'll work it in
and post an updated draft.
Thanks,
Sid
