On Tue, Aug 02, 2011 at 04:27:53PM -0700, Russ Allbery wrote: > Raphael Hertzog <[email protected]> writes: > > > I also wonder whether we should keep -Werror=format-security given that > > no archive rebuild has been made with this option so we don't really > > know how many packages will be affected by this. > > I suspect "lots" based on personal experience, but also nearly every time > I've seen this warning it's been at least a potential security > vulnerability. (Sometimes it's not very likely since it happened in > configuration parsing code, but still.) So making those packages fail to > compile is probably not a bad thing.
I have all of Ubuntu's "main" component's build logs local, to try to give us a quick measure (it's about 3500 packages out of the entire archive). I can search for the warning, but is there a good way to check that the package was built using dpkg-buildflags? Out of 3551 packages recently built, 166 throw the warning, so just under 5%, without paying attention to if they build with dpkg-buildflags.. I, too, would like to see it enabled by default. It will cause a certain amount of pain, but we'll have a cleaner archive when it's done. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
