On Thu, Feb 04, 2021 at 11:11:43PM +0100, Pavel Machek wrote: > On Thu 2021-02-04 15:59:21, Timur Tabi wrote: > > On 2/4/21 3:49 PM, Pavel Machek wrote: > > >This machine is insecure. Yet I don't see ascii-art *** all around.. > > > > > >"Kernel memory addresses are exposed, which is bad for security." > > > > I'll use whatever wording everyone can agree on, but I really don't see much > > difference between "which may compromise security on your system" and "which > > is bad for security". "may compromise" doesn't see any more alarmist than > > "bad". Frankly, "bad" is a very generic term. > > Well, I agree that "bad" is vague.... but original wording is simply > untrue, as printing addresses decreases robustness but can't introduce > security problem on its own. > > Being alarmist is not my complaint; being untrue is. It's just semantics. Printing addresses DOES weaken the security of a system, especially when we know attackers have and do use stuff from dmesg to tune their attacks. How about "reduces the security of your system"? -- Kees Cook
