Date: Thu, 03 Jan 2019 22:46:18 +0100 From: tg@...lib.org (Torbjörn Granlund) To: Jeffrey Walton <noloader@...il.com> Cc: oss-security@...ts.openwall.com, gmp-bugs@...lib.org Subject: Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton <noloader@...il.com> writes: Here's what I witness on a BananaPi and a couple of other boards. Can you provide info on the ARM boards you are using? I have about 8 of them for testing, and I may be able to duplicate your [successful] result. Marco and others have told you to read the GMP manual. People have explained what you do wrong and it is clear that you know very well why your CFLAGS messing breaks things. Yet, you insist on spreading the lie that GMP "does not build". Returning a failure from mpn_sec_powm would be a most welcomed improvement. You have repeated this several times already. The GMP API is what it is. If you don't like it, well, we're so sorry. It would be a welcomed improvement if GMP does it in other places, too. Crashing is least welcomed behavior for many uses cases, including those where availability and confidentiality is a concern. You have repeated this several times, and people have patiently replied and explained how to handle this safely. Gracefully handling failure serves several purposes. First, returning failure is what developers expect to happen. Really? Did you talk to them? If a program uses a function incorrectly then it is expected to fail. Developers are usually good about checking return values at call sites. I have yet to find one program which checks all return values. Second, when GMP crashes it is setting a policy for the application. Any API sets policies. We've had enough of your nagging and aggressiveness and your threats in private email. Your messages to the GMP lists will henceforth be automatically discarded. -- Torbjörn Please encrypt, key id 0xC8601622
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.