On Sun, Dec 28, 2008 at 10:27:16AM +0000, Neil Williams wrote: > On Sun, 28 Dec 2008 00:42:46 -0800 Kees Cook <k...@outflux.net> wrote: > > In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2, > > and some have Build-Depends on "hardening-wrapper", which enables this > > compiler flag. As such, it seems sensible to have all affected packages > > fixed since the results of such a call could change. (Though it is not an > > RC issue.) > > By all affected packages, do you mean packages that use the code or > packages that use the code *AND* compile with or > Build-Depend on hardening-wrapper? > > IMHO any bugs filed merely due to the presence of the code without the > means to trigger the error in normal builds should be wishlist.
Sorry for the confusion -- I meant "present in the code", not "actively broken". I agree it's not a "normal" bug, but I'd like to see the bug at least as "low" since (with a stock glibc) the bug would appear if a maintainer decided to use "hardening-wrapper". > > Thoughts? > > Split the list according to packages that merely match the regexp and > those that match the regexp *AND* match a second regexp indicating that > the build system either uses -D_FORTIFY_SOURCE=2 or hardening-wrapper? Good idea, those can be opened with "normal" severity. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
