On Fri, Nov 17, 2017 at 3:40 PM, Koos Zevenhoven <k7ho...@gmail.com> wrote:
> On Thu, Nov 16, 2017 at 6:53 AM, Guido van Rossum <gu...@python.org> > wrote: > >> On Wed, Nov 15, 2017 at 6:50 PM, Guido van Rossum <gu...@python.org> >> wrote: >>> >>> >>> Actually it linked to http://standards.iso.org/ittf/ >>> PubliclyAvailableStandards/index.html from which I managed to download >>> what looks like the complete c061457_ISO_IEC_TR_24772_2013.pdf (336 >>> pages) after clicking on an "I accept" button (I didn't read what I >>> accepted :-). The $200 is for the printed copy I presume. >>> >> >> So far I learned one thing from the report. They use the term >> "vulnerabilities" liberally, defining it essentially as "bug": >> >> All programming languages contain constructs that are incompletely >>> specified, exhibit undefined behaviour, are implementation-dependent, or >>> are difficult to use correctly. The use of those constructs may therefore >>> give rise to *vulnerabilities*, as a result of which, software programs >>> can execute differently than intended by the writer. >>> >> >> They then go on to explain that sometimes vulnerabilities can be >> exploited, but I object to calling all bugs vulnerabilities -- that's just >> using a scary word to get attention for a sleep-inducing document >> containing such gems as "Use floating-point arithmetic only when absolutely >> needed" (page 230). >> >> > I don't like such a definition of "vulnerability" either. Some bugs can > be vulnerabilities (those that can be exploited) and some vulnerabilities > can be bugs. But there are definitely types of vulnerabilities that are not > bugs––the DoS vulnerability that is eliminated by hash randomization is one. > > There may also be a gray area of bugs that can be vulnerabilities but only > in some special situation. I think it's ok to call those vulnerabilities > too. > > Just to clarify the obvious: By the above, I *don't* mean that one could use the word "vulnerability" for any functionality that can be used in such a way that it creates a vulnerability. For example, `eval` or `exec` or `open` by themselves are not vulnerabilities. ––Koos -- + Koos Zevenhoven + http://twitter.com/k7hoven +
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
