On Mon, May 26, 2014 at 9:47 AM, Theo de Raadt <[email protected]>wrote:
> > Some warning may be ignored, and imho should be because they may hide > other > > more important one: > > > > /usr/local/lib/libevent_core.a(evutil.o)(.text+0x5e1): In function > > `_evutil_weakrand': > > : warning: random() isn't random; consider using arc4random() > > > > Is it possible to ignore this ? > > Yeah, you can manually ignore it yourself, much like so many people > ignored the crap inside the OpenSSL code base for decades. > > More likely their reason for having that API at all is totally stupid > and from the past, and thus the warning should remain. Until they > make a sensible decision and improve it. > > In a related note, there are random() calls in our ksh and awk code. > The linker warns for them. They are there due to standards mandated > behaviour. We've changed the runtime behaviour to avoid this > standards mandated behaviour when possible, but we still have to link > in the bad function, and get the warning. > > And that is how it will stay. We will not add hacks so that people > can take away these warnings. Your > > I get it, i also agree it must warn, but i like -Werror :( So i got two options: - So if there 's a lots of code i need to 2>&1 and grep . to extract all those warnings, and then check with a list of <ok this warning has been analyzed> - patch everything (like this weak random) and -Werror what would you choose ? > > same question for all the strl*, like strlcpy is great but sometimes > > useless. > > You are saying people can use strcpy and strcat safely. Yes. > Children can carry loaded guns safely too. And nothing ever goes > wrong. > Children? monkey are more fun: http://www.youtube.com/watch?v=0_lc81P-R8k&feature=kp -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
