Re: mass bug filing for undefined sn?printf use

"Paul Wise" <pabs@debian.org> writes:
> On Fri, Jan 2, 2009 at 3:50 AM, Kees Cook <kees@outflux.net> wrote:

>> Oh!  Good catch, thank you.  I've started a re-run with the regex
>> changed.  So far, it's already caught new stuff.  I'll post updated
>> details once it has finished.

> Could this test be added to lintian?

The thread so far seems to indicate the false positive rate isn't great.
People usually find Lintian checks with a lot of false positives rather
annoying.  It can be worth it if the problem is sufficiently severe, but
it always makes me nervous to add.

We could possibly add an experimental tag, though, to get an idea of what
the false positive rate looks like.  We're trying that with a few other
ones at the moment.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

