Bug#673112: lintian: hardening-no-stackprotector check has many false positives

To: Ralf Jung <post@ralfj.de>
Cc: 673112@bugs.debian.org
Subject: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
From: Russ Allbery <rra@debian.org>
Date: Fri, 18 May 2012 13:34:03 -0700
Message-id: <[🔎] 87ipftcjpg.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 673112@bugs.debian.org
In-reply-to: <[🔎] 201205182229.31071.post@ralfj.de> (Ralf Jung's message of "Fri, 18 May 2012 22:29:30 +0200")
References: <[🔎] 201205182229.31071.post@ralfj.de>

Ralf Jung <post@ralfj.de> writes:

> I'd like to extend this to hardening-no-fortify-functions: My package
> definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
> "-fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2"), but I get a
> hardening-no-stackprotector and hardening- no-fortify-functions for its
> only binary.

False positives for _FORTIFY_SOURCE are somewhat rarer, and that one is
much easier to miss applying due to the CPPFLAGS vs. CFLAGS distinction.
My immediate inclination would be to ask people to add an override for
false positives for it, since it's more likely that the tag is valid.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#673112: lintian: hardening-no-stackprotector check has many false positives
  - From: Sven Joachim <svenjoac@gmx.de>

References:
- Bug#673112: lintian: hardening-no-stackprotector check has many false positives
  - From: Ralf Jung <post@ralfj.de>

Prev by Date: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Next by Date: Bug#673533: lintian: only one missing-license-paragraph-in-dep5-copyright is detected at a time
Previous by thread: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Next by thread: Bug#673112: lintian: hardening-no-stackprotector check has many false positives
Index(es):
- Date
- Thread