FTBFS if "-Werror=format-security" flag is used

Michael scherer misc at zarb.org
Sat Dec 7 00:47:25 UTC 2013 

On Thu, Dec 05, 2013 at 07:40:36PM -0600, mrnuke wrote:
> On 12/05/2013 11:38 AM, Michael scherer wrote:
> > On Wed, Dec 04, 2013 at 08:25:54PM -0600, mrnuke wrote:
> >>
> >> This change is Sofa King stupid. Why couldn't we have just enabled the
> >> warning without turning it into an error, THEN let packagers work with
> >> upstream in fixing those warnings? Regulate, not ban.
> > 
> > Because packagers will just ignore it [...]
> > 
> I think this is a childish argument, but let's take it. So what? You're
> going to start stepping on people's lawns and change things just because
> you want to impose your greater good?

In fact, I already do, I add checks in rpmlint for what I think
to the greater good.
And in other times and places, I even forced people to fix 
some rpmlint errors in their packages, just based on my own 
judgement, or their packages would not be uploaded. 

And while you may think this is childish, I have some data
to back my assertion that some people ignore until there is a enforcement.
For example, I have seen no one except me requesting CVE for potential 
security problems that rpmlint do see since 6 months 
( missing-call-to-setgroups-before-setuid, missing-call-to-chdir-with-chroot ).

Even during reviews, that's just ignored because this is not mandatory to fix 
( for example https://bugzilla.redhat.com/show_bug.cgi?id=976770 ).

( and I did a run on the whole set of Fedora packages, so I know that I was
not lucky and found the only single rpm with a problem ).

> > Let's rather ask the contrary, why is this so much a issue to communicate 
> > with upstream to fix things, and add patches ?
> 
> -Werror is not needed for communication. It is not about communication.
> This is about a small group of people imposing their "MY WAY!!!".

Like there is a small group of people imposing packages guidelines,
so I fail to see your point exactly.
 
> > [...] really fail to see why there is people complaining.
> > 
> You run the assumption that all upstreams are paradise, heavenly, and
> friendly. And you also run the assumption that upstreams will never
> introduce such bugs in the future, never leaving packagers with the
> headache of patching things up.

That's already part of the life of packagers. For example, suddenly, gcc
decide to be stricter and suddenly, some VCS written in C++ decide to not
compile anymore, so you have to spend 1 full day just to make it compile. 
( of course, totally fictious example that didn't happen to me several years
ago ). 

There is enough software not building anymore and dropped after mass rebuild 
to show that such problem are not really so uncommon.

-- 
Michael Scherer

More information about the devel mailing list