FTBFS if "-Werror=format-security" flag is used
Jan Lieskovsky
jlieskov at redhat.com
Thu Dec 5 14:49:47 UTC 2013
----- Original Message -----
> From: "mrnuke" <mr.nuke.me at gmail.com>
> To: devel at lists.fedoraproject.org
> Sent: Thursday, December 5, 2013 3:37:14 PM
> Subject: Re: FTBFS if "-Werror=format-security" flag is used
>
> On 12/05/2013 07:38 AM, Ralf Corsepius wrote:
> > As I see it, GCC's -Wformat-security is too unreliable to be used in
> > production. It certainly diagnoses valid security leaks in some cases,
> > but all it does in other cases is to enforce stylishness to work outs
> > GCC's limitations. I.e. in these case it effectively only causes churn.
> >
> > I.e. I see sense in adding it to %optflags as a warning (-W...), but
> > raising this warning to an error (-Werror=...) at this point in time
> > qualifies as not helpful.
> >
> +1
I think the point of turning the warning into explicit error is to intentionally
make the package / source build failing to indicate there's an error present
somewhere in the code and that it should be fixed.
Better to be safe than sorry (in this context better to fix all known format
string flaws ahead rather to wait till someone actually takes the time and
effort to show it's exploitable [like in the mentioned sudo case already]).
In that scenario it will need to be fixed anyway (and possibly yet in more
hurry than it's now).
Just my 2 cents.
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel
mailing list