[cwyers]

> So for non-security critical software, it is sometimes better not to update that often. This update fever is bad both for developers and users.

What software is non-security critical anymore?

[Santosh83]

An appropriately sandboxed process that has no access to other processes or files can be considered non-security critical. But sadly nearly all programs commonly in use can access all the user's data and do with them as it wishes (hence ransomware) thus we have to perforce consider every program as security critical.

[throwaway613834]

> What software is non-security critical anymore?

LaTeX, MATLAB, CMake...

[rhn_mk1]

Terrible examples, considering that these are programming languages that people will use to run code from random sources.

"git clone foo && cmake foo" can definitely be a security problem, and not just because the code itself is untrusted.

[saywatnow]

It's not cmake's job to limit the behaviour of programs written with it.

[al2o3cr]

OTOH, allocating & using memory correctly so that a maliciously-crafted Makefile can't get elevated permissions is.

[pedrocr]

A makefile can call whatever it wants so if you run a malicious one you're already hacked. There's nothing you can do with a cmake buffer overrun that you can't also do just by writing a normal cmake file to call out whichever malicious commands you want.

[throwaway613834]

>> It's not cmake's job to limit the behaviour of programs written with it.

> OTOH, allocating & using memory correctly so that a maliciously-crafted Makefile can't get elevated permissions is.

https://en.wikipedia.org/wiki/Not_even_wrong

[martin_ky]

You are technically not wrong, of course, but if the attack vector got already to running Makefiles on your system, you should probably focus your effort to tighten security elsewhere.