| 1 |
On Sun, 9 Sep 2018 14:32:21 +0300 |
| 2 |
Andrew Savchenko <bircoph@g.o> wrote: |
| 3 |
|
| 4 |
> Hi! |
| 5 |
> |
| 6 |
> Our current -Werror policy demands unconditional removal: |
| 7 |
> https://devmanual.gentoo.org/ebuild-writing/common-mistakes/index.html#-werror-compiler-flag-not-removed |
| 8 |
|
| 9 |
Which is great. |
| 10 |
|
| 11 |
> I think this is wrong, see bugs 665464, 665538 for a recent |
| 12 |
> discussion why. |
| 13 |
|
| 14 |
That's just QA failing to be human in one report and then again in |
| 15 |
another report. It happens all the time and cannot be fixed, so you seem |
| 16 |
to instead suggest banning -Werror wrong because some developers think |
| 17 |
they can sanely cat-herd -Werror's overreaching effects. |
| 18 |
|
| 19 |
> My point is that in *most* cases -Werror indeed should be removed, |
| 20 |
> because upstream rarely can keep up with all possible configure, |
| 21 |
> *FLAGS, compiler versions and arch combinations. But! In some cases |
| 22 |
> — especially for security oriented software — this flag may be |
| 23 |
> pertain and may be kept at maintainer's discretion. |
| 24 |
^^^^^^^ |
| 25 |
Pertinent, you meant to say, I assume. |
| 26 |
|
| 27 |
If you really have to support this mistaken (upstream) sense of |
| 28 |
security, instead go for -Werror=<warning> (see gcc(1)) i.e. turn very |
| 29 |
specific warnings into errors instead of turning _all_ warnings into |
| 30 |
errors. |
| 31 |
|
| 32 |
> The rationale is that -Werror usually points to dangerous |
| 33 |
> situations like uninitialized variables, pointer type mismatch or |
| 34 |
> implicit function declaration (and much more) |
| 35 |
|
| 36 |
No it does not. It merely turns warnings (non-fatal) emitted by the |
| 37 |
actual checks into errors (fatal). It does not cause any checks to be |
| 38 |
performed or warnings to be issued by itself. |
| 39 |
|
| 40 |
Setting or allowing a blanket -Werror therefore causes innocuous |
| 41 |
warnings like this: |
| 42 |
|
| 43 |
warning: format not a string literal, argument types not checked |
| 44 |
[-Wformat-nonliteral] |
| 45 |
(In other words: FIXME: I didn't check this format because it was not |
| 46 |
a string literal and I cannot yet resolve those into an actual format |
| 47 |
defined elsewhere.*) |
| 48 |
|
| 49 |
and this: |
| 50 |
|
| 51 |
# hppa2.0-unknown-linux-gnu-gcc -fstack-protector main.c |
| 52 |
cc1: warning: -fstack-protector not supported for this target |
| 53 |
|
| 54 |
into hilarious errors. |
| 55 |
|
| 56 |
To some those might look like succeeding security checks, but they're |
| 57 |
really failing sanity checks. |
| 58 |
|
| 59 |
> which may lead to serious security implications. |
| 60 |
> |
| 61 |
> So, if maintainer has enough manpower to support this flag, we |
| 62 |
> should allow to keep it. Of course if it will cause long-standing |
| 63 |
> troubles (e.g. bugs opened for a long time) QA should have power to |
| 64 |
> remove it or demand its removal. |
| 65 |
> |
| 66 |
> So my proposal is: |
| 67 |
> |
| 68 |
> 1) Deprecate QA policy with unconditional demand of -Werror removal. |
| 69 |
|
| 70 |
You have yet to give arguments for its removal. Like, proper and |
| 71 |
particular examples of where -Werror benefits everyone. So far I've |
| 72 |
seen only some hand-waving of the (in)security banner. |
| 73 |
|
| 74 |
Unless you meant to say that security is improved when you can't |
| 75 |
install the software when of -Werror prevents it from being built, |
| 76 |
because then you've already solved the entire problem of the software's |
| 77 |
purported vulnerabilities, indeed. |
| 78 |
|
| 79 |
> 2) Add to devmanual's chapter on -Werror an exception clause about |
| 80 |
> security-oriented software and maintainer's right to make final |
| 81 |
> decision. |
| 82 |
|
| 83 |
That clause will be the laughing stock of the security community. |
| 84 |
|
| 85 |
|
| 86 |
Regards, |
| 87 |
jer |
| 88 |
|
| 89 |
|
| 90 |
* We have plenty of bug reports already where one "security researcher" |
| 91 |
points out that the build fails when the former warning is triggered |
| 92 |
when -Werror is injected, and it might indeed look like a lurking |
| 93 |
security issue if it weren't for the fact that the format sanity check |
| 94 |
never took place. |
Archives