[Pkg-gpe-maintainers] mass bug filing for undefined sn?printf use
Kees Cook
kees at outflux.net
Tue Dec 30 02:26:30 UTC 2008
On Sun, Dec 28, 2008 at 10:27:16AM +0000, Neil Williams wrote:
> On Sun, 28 Dec 2008 00:42:46 -0800 Kees Cook <kees at outflux.net> wrote:
> > In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
> > and some have Build-Depends on "hardening-wrapper", which enables this
> > compiler flag. As such, it seems sensible to have all affected packages
> > fixed since the results of such a call could change. (Though it is not an
> > RC issue.)
>
> By all affected packages, do you mean packages that use the code or
> packages that use the code *AND* compile with or
> Build-Depend on hardening-wrapper?
>
> IMHO any bugs filed merely due to the presence of the code without the
> means to trigger the error in normal builds should be wishlist.
Sorry for the confusion -- I meant "present in the code", not "actively
broken". I agree it's not a "normal" bug, but I'd like to see the bug at
least as "low" since (with a stock glibc) the bug would appear if a
maintainer decided to use "hardening-wrapper".
> > Thoughts?
>
> Split the list according to packages that merely match the regexp and
> those that match the regexp *AND* match a second regexp indicating that
> the build system either uses -D_FORTIFY_SOURCE=2 or hardening-wrapper?
Good idea, those can be opened with "normal" severity.
-Kees
--
Kees Cook @debian.org
More information about the Pkg-gpe-maintainers
mailing list