Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

[Bas Wijnen <wijnen@debian.org>]

On Fri, Sep 20, 2013 at 10:12:16PM -0700, Kees Cook wrote:
> This is absolutely a bug in glibc. While the spec can say "undefined", it
> is, in fact, not undefined. It worked in a very specific way for over a
> decade, so that's pretty well defined. ;) The fortify function has no need
> to change it.

I strongly disagree.  If I write a specification for something and an
implementation of it, then the specification is what defines the behavior.  If
something is not defined, or even explicitly "undefined", then that doesn't
mean I have to make sure the implementation regularly changes just to make sure
that I don't give users the "right" to use undefined features.

Code that does undefined things is buggy, even if it works on some
implementation, and no matter how long it has worked.

Thanks,
Bas