Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

To: Adam Borowski <kilobyte@angband.pl>
Cc: debian-devel@lists.debian.org
Subject: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 25 Sep 2013 16:38:56 -0300
Message-id: <[🔎] 20130925193856.GA23810@khazad-dum.debian.net>
In-reply-to: <[🔎] 20130925164247.GA27260@angband.pl>
References: <[🔎] 20130920190537.GZ27621@onerussian.com> <[🔎] 20130921051216.GN5094@outflux.net> <[🔎] 20130921124634.GX21512@fmf.nl> <[🔎] 20130921150813.GA21253@outflux.net> <[🔎] loom.20130924T134453-638@post.gmane.org> <[🔎] 87bo3imcj2.fsf@windlord.stanford.edu> <[🔎] loom.20130925T134128-696@post.gmane.org> <[🔎] 87vc1orh51.fsf@windlord.stanford.edu> <[🔎] 20130925164247.GA27260@angband.pl>

On Wed, 25 Sep 2013, Adam Borowski wrote:
> On Wed, Sep 25, 2013 at 09:38:18AM -0700, Russ Allbery wrote:
> > Thorsten Glaser <tg@mirbsd.de> writes:
> > > Russ Allbery <rra <at> debian.org> writes:
> > Programs that don't check the return status of functions that they think
> > won't ever fail are a bit of a pet peeve of mine, in part because it would
> > make a lot of sense for localtime() to be able to fail when the question
> > it was asked is undefined.  But no one ever checks the return status of
> > localtime() for much the same reason that you spell out for not checking
> > the return status of crypt(), which means that localtime() is required by
> > all this legacy code to return arbitrary nonsense instead of an error.
> 
> __attribute__((warn_unused_result))

Too bad it won't work in this specific case, but one could use Coccinelle or
another static checker tool to track down crypt() calls without a subsequent
test for NULL.

That would still require a sweep on the source of the entire archive,
though, as well as periodic testing to make sure the braidamage doesn't find
its way back as new packages or new upstream versions.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Bas Wijnen <wijnen@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: qmake and "make dist"
Next by Date: Re: qmake and "make dist"
Previous by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Next by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Index(es):
- Date
- Thread