1 |
Il giorno sab, 12/03/2011 alle 11.09 -0600, Donnie Berkholz ha scritto: |
2 |
> |
3 |
> |
4 |
> I'm assuming you're talking only about broken builds here and not |
5 |
> "QA-only" bugs. My opinion is that if a tinderbox QA script is the |
6 |
> only |
7 |
> thing finding a nonfatal bug, and it's never reported or CC'd by a |
8 |
> user, |
9 |
> then it's about as low priority as you can get. |
10 |
|
11 |
Not really. An user would never report that the package is bundling |
12 |
libraries, but that is actually pretty high in priority as it can lead |
13 |
to hidden security issues already resolved in the original library to |
14 |
sneak in the system. |
15 |
|
16 |
At the same time, very few users report ignored variables (CC, CFLAGS, |
17 |
LDFLAGS, ...) but they are just the same a problem. Especially when |
18 |
hardening flags are not used at all. |
19 |
|
20 |
> So this might serve as a pointer to potentially unmaintained |
21 |
> packages, |
22 |
> but clearly more investigation is required before removal. |
23 |
|
24 |
There is always the need to do manual investigation. But in general when |
25 |
you see a package that |
26 |
|
27 |
- ignores LDFLAGS; |
28 |
- shows fortify source warnings; |
29 |
- ignores CC; |
30 |
- misuses autotools; |
31 |
- bundle libraries. |
32 |
|
33 |
you can pretty safely assume neither somebody is looking after it, nor |
34 |
using it. |
35 |
|
36 |
-- |
37 |
Diego Elio Pettenò — Flameeyes |
38 |
http://blog.flameeyes.eu/ |