Niels Thykier <ni...@thykier.net> writes: > To be honest, I have been considering if we should reduce and disable > this tag like we did with the stack-protector tag. In terms of > accuracy, blhc beats hardening-check/lintian by miles. Even if > people/upstreams tend to mistake C{,XX}FLAGS vs. CPPFLAGS, I suspect we > would be better off by disabling this tag (e.g. less frustation from our > users). The tag would still be available via the debian/extra-hardening > profile, so people can opt-in.
I'm at least seeing a lot of false positives for a tag that's marked possible. We could drop it to wild-guess, which IIRC would make it info-level instead of a warning, which feels about right for the level of false positive vs. false negative tradeoff we have at the moment. >> (Thanks for the note about --verbose!) > You are welcome. :) It happens to be the way we implement the fp->fn > trade-offs. It would be neat to include the list of unprotected functions as additional data for the tag. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org