On February 23, 2014 at 9:16 AM Ingo Schwarze <schwa...@usta.de> wrote: > Hi, > > d...@genunix.com wrote on Sun, Feb 23, 2014 at 08:54:34AM -0500: > > > I am seeing strange and questionable messages while attempting a compile > > and then test of GNU gettext 0.18.3.2 thus : > > > > ../gnulib-lib/.libs/libgettextlib.so: warning: stpcpy() is dangerous GNU > > crap; > > don't use it
> Yes. They come from ld(1), the OpenBSD linker, and cannot be disabled. Do you think that maybe a message such as "stpcpy() considered dangerous. Please submit a patch." would have been a lot more professional? If I see an operating system that fires an insult across the bow of some other operating system then I think it is written by children in basements and I stop using it. It speaks to the level of professionalism employed by those people that release and manage the OS. > > They are intended to remind the person building the software that > almost all real-world code still containing these functions today > almost certainly contains buffer overflow bugs, some of which may > be exploitable. It is intended as a warning to avoid using such > software, which probably is of questionable quality, in any > security-critical applications, and it is intended as an incentive > to doing a thorough security audit. Oh I get it. I do. I simply think the message is wrong in tone and delivery. Perhaps "please patch foo.c to avoid stpcpy()" would be reasonable. > > Note that it is theoretically possible to use these functions > correctly; however, it is so much more difficult in practice than > using better interfaces in the first place that practical experience > shows that only people who care about security much less than the > OpenBSD security standards continue using them. For that reason, > *almost* all real-world software still containing them turns out > to be of inferior quality when audited thoroughly. fine. No argument. > > Of course, such warnings cannot replace an actual audit, and just > fixing the warnings themselves is useless, if not worse than useless, > because it would just sweep the issues under the rug. > The warnings just say that an audit is almost certainly needed. The problem is not the fact that we all agree there is an issue with the code. The problem is that we have an OS that runs a server which issues messages such as "blah blah GNU crap blah " and that cause me to want to shut it off and go back over to Solaris or FreeBSD or Red Hat Linux or even Windows would not pop up a message saying "GNU crap". Dennis
