Re: Enabling compiler warning flags

2012-12-17 Thread Jeffrey Walton
On Tue, Dec 18, 2012 at 1:44 AM, Mike Frysinger wrote: > On Tuesday 18 December 2012 01:10:14 Jeffrey Walton wrote: >> If you are going to try the waters with warnings, you should also >> consider the flags to integrate with platform security. >> >> Platform security integration includes fortified

Re: Enabling compiler warning flags

2012-12-17 Thread Mike Frysinger
On Tuesday 18 December 2012 00:28:14 David A. Wheeler wrote: > Jim Meyering said: > > Did you realize that several GNU projects now enable virtually > > every gcc warning that is available (even including those that > > are new in the upcoming gcc-4.8, for folks that use bleeding edge gcc) > > via

Re: Enabling compiler warning flags

2012-12-17 Thread Mike Frysinger
On Tuesday 18 December 2012 01:10:14 Jeffrey Walton wrote: > If you are going to try the waters with warnings, you should also > consider the flags to integrate with platform security. > > Platform security integration includes fortified sources and stack > protectors. Here are the flags of intere

Re: Enabling compiler warning flags

2012-12-17 Thread Russ Allbery
Jeffrey Walton writes: > Yeah, I think you are right about asprintf (though I have never used it). > I can't count how many times I've seen silent truncation due to sprint. > Most recently, I pointed it out on some SE Android patches (Android port > of SE Linux) that passed by the NSA sponsored

Re: Enabling compiler warning flags

2012-12-17 Thread Jeffrey Walton
On Tue, Dec 18, 2012 at 1:16 AM, Russ Allbery wrote: > Jeffrey Walton writes: > >> FORTIFY_SOURCE=2 (FORTIFY_SOURCE=1 on Android 4.1+), where available. >> I know Drepper objects to the safer string/memory functions, but his >> way (the way of 1970's strcpy and strcat) simply does not work. I >>

Re: Enabling compiler warning flags

2012-12-17 Thread Russ Allbery
Jeffrey Walton writes: > FORTIFY_SOURCE=2 (FORTIFY_SOURCE=1 on Android 4.1+), where available. > I know Drepper objects to the safer string/memory functions, but his > way (the way of 1970's strcpy and strcat) simply does not work. I > don't disagree that the safer functions are not completely sa

Re: Enabling compiler warning flags

2012-12-17 Thread Jeffrey Walton
On Tue, Dec 18, 2012 at 12:28 AM, David A. Wheeler wrote: > Jim Meyering said: >> Did you realize that several GNU projects now enable virtually >> every gcc warning that is available (even including those that >> are new in the upcoming gcc-4.8, for folks that use bleeding edge gcc) >> via gnulib

Enabling compiler warning flags

2012-12-17 Thread David A. Wheeler
Jim Meyering said: > Did you realize that several GNU projects now enable virtually > every gcc warning that is available (even including those that > are new in the upcoming gcc-4.8, for folks that use bleeding edge gcc) > via gnulib's manywarnings.m4 configure-time tests? > > Of course, there is