Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

To: debian-devel@lists.debian.org
Subject: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
From: Russ Allbery <rra@debian.org>
Date: Wed, 25 Sep 2013 09:46:56 -0700
Message-id: <[🔎] 87had8rgqn.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20130925164247.GA27260@angband.pl> (Adam Borowski's message of "Wed, 25 Sep 2013 18:42:47 +0200")
References: <[🔎] 20130920190537.GZ27621@onerussian.com> <[🔎] 20130921051216.GN5094@outflux.net> <[🔎] 20130921124634.GX21512@fmf.nl> <[🔎] 20130921150813.GA21253@outflux.net> <[🔎] loom.20130924T134453-638@post.gmane.org> <[🔎] 87bo3imcj2.fsf@windlord.stanford.edu> <[🔎] loom.20130925T134128-696@post.gmane.org> <[🔎] 87vc1orh51.fsf@windlord.stanford.edu> <[🔎] 20130925164247.GA27260@angband.pl>

Adam Borowski <kilobyte@angband.pl> writes:
> On Wed, Sep 25, 2013 at 09:38:18AM -0700, Russ Allbery wrote:

>> Programs that don't check the return status of functions that they
>> think won't ever fail are a bit of a pet peeve of mine, in part because
>> it would make a lot of sense for localtime() to be able to fail when
>> the question it was asked is undefined.  But no one ever checks the
>> return status of localtime() for much the same reason that you spell
>> out for not checking the return status of crypt(), which means that
>> localtime() is required by all this legacy code to return arbitrary
>> nonsense instead of an error.

> __attribute__((warn_unused_result))

Now that is an *excellent* idea for crypt().  In fact, I'm surprised that
it's not already tagged with that attribute.  I think I'll suggest that on
libc-alpha.  Thanks!

Doing that for localtime() may be too much of an uphill climb.  :/

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>

References:
- think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Bas Wijnen <wijnen@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Next by Date: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Previous by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Next by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Index(es):
- Date
- Thread