Subject: Re: US-CERT Vulnerability Note VU#162289
Date: Monday 14th April 2008 17:13:53 UTC (over 9 years ago)
Robert C. Seacord wrote: > > i agree that the optimization is allowed by C99. i think this is a > > quality of implementation issue, and that it would be preferable for > > gcc to emphasize security over performance, as might be expected. On Sun, Apr 13, 2008 at 11:51:00PM +0200, Florian Weimer wrote: > I don't think this is reasonable. If you use GCC and its C frontend, > you want performance, not security. Furthermore, there are a number of competitors to GCC. These competitors do not advertise better security than GCC. Instead they claim better performance (though such claims should be taken with a grain of salt). To achieve high performance, it is necessary to take advantage of all of the opportunities for optimization that the C language standard permits. For CERT to simulataneously argue that GCC should be crippled (to emphasize security over performance) but that nothing negative should be said about competing compilers is the height of irresponsibility. Any suggestion that users should avoid new versions of GCC will drive users to competing compilers that optimize at least as aggressively.