| 1 |
Il giorno sab, 12/03/2011 alle 11.09 -0600, Donnie Berkholz ha scritto: |
| 2 |
> |
| 3 |
> |
| 4 |
> I'm assuming you're talking only about broken builds here and not |
| 5 |
> "QA-only" bugs. My opinion is that if a tinderbox QA script is the |
| 6 |
> only |
| 7 |
> thing finding a nonfatal bug, and it's never reported or CC'd by a |
| 8 |
> user, |
| 9 |
> then it's about as low priority as you can get. |
| 10 |
|
| 11 |
Not really. An user would never report that the package is bundling |
| 12 |
libraries, but that is actually pretty high in priority as it can lead |
| 13 |
to hidden security issues already resolved in the original library to |
| 14 |
sneak in the system. |
| 15 |
|
| 16 |
At the same time, very few users report ignored variables (CC, CFLAGS, |
| 17 |
LDFLAGS, ...) but they are just the same a problem. Especially when |
| 18 |
hardening flags are not used at all. |
| 19 |
|
| 20 |
> So this might serve as a pointer to potentially unmaintained |
| 21 |
> packages, |
| 22 |
> but clearly more investigation is required before removal. |
| 23 |
|
| 24 |
There is always the need to do manual investigation. But in general when |
| 25 |
you see a package that |
| 26 |
|
| 27 |
- ignores LDFLAGS; |
| 28 |
- shows fortify source warnings; |
| 29 |
- ignores CC; |
| 30 |
- misuses autotools; |
| 31 |
- bundle libraries. |
| 32 |
|
| 33 |
you can pretty safely assume neither somebody is looking after it, nor |
| 34 |
using it. |
| 35 |
|
| 36 |
-- |
| 37 |
Diego Elio Pettenò — Flameeyes |
| 38 |
http://blog.flameeyes.eu/ |
Archives