Re: mass bug filing for undefined sn?printf use
On Sun, Dec 28, 2008 at 10:27:16AM +0000, Neil Williams wrote:
> On Sun, 28 Dec 2008 00:42:46 -0800 Kees Cook <firstname.lastname@example.org> wrote:
> > In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
> > and some have Build-Depends on "hardening-wrapper", which enables this
> > compiler flag. As such, it seems sensible to have all affected packages
> > fixed since the results of such a call could change. (Though it is not an
> > RC issue.)
> By all affected packages, do you mean packages that use the code or
> packages that use the code *AND* compile with or
> Build-Depend on hardening-wrapper?
> IMHO any bugs filed merely due to the presence of the code without the
> means to trigger the error in normal builds should be wishlist.
Sorry for the confusion -- I meant "present in the code", not "actively
broken". I agree it's not a "normal" bug, but I'd like to see the bug at
least as "low" since (with a stock glibc) the bug would appear if a
maintainer decided to use "hardening-wrapper".
> > Thoughts?
> Split the list according to packages that merely match the regexp and
> those that match the regexp *AND* match a second regexp indicating that
> the build system either uses -D_FORTIFY_SOURCE=2 or hardening-wrapper?
Good idea, those can be opened with "normal" severity.
Kees Cook @debian.org