1 |
On Sun, 9 Sep 2018 14:32:21 +0300 |
2 |
Andrew Savchenko <bircoph@g.o> wrote: |
3 |
|
4 |
> Hi! |
5 |
> |
6 |
> Our current -Werror policy demands unconditional removal: |
7 |
> https://devmanual.gentoo.org/ebuild-writing/common-mistakes/index.html#-werror-compiler-flag-not-removed |
8 |
|
9 |
Which is great. |
10 |
|
11 |
> I think this is wrong, see bugs 665464, 665538 for a recent |
12 |
> discussion why. |
13 |
|
14 |
That's just QA failing to be human in one report and then again in |
15 |
another report. It happens all the time and cannot be fixed, so you seem |
16 |
to instead suggest banning -Werror wrong because some developers think |
17 |
they can sanely cat-herd -Werror's overreaching effects. |
18 |
|
19 |
> My point is that in *most* cases -Werror indeed should be removed, |
20 |
> because upstream rarely can keep up with all possible configure, |
21 |
> *FLAGS, compiler versions and arch combinations. But! In some cases |
22 |
> — especially for security oriented software — this flag may be |
23 |
> pertain and may be kept at maintainer's discretion. |
24 |
^^^^^^^ |
25 |
Pertinent, you meant to say, I assume. |
26 |
|
27 |
If you really have to support this mistaken (upstream) sense of |
28 |
security, instead go for -Werror=<warning> (see gcc(1)) i.e. turn very |
29 |
specific warnings into errors instead of turning _all_ warnings into |
30 |
errors. |
31 |
|
32 |
> The rationale is that -Werror usually points to dangerous |
33 |
> situations like uninitialized variables, pointer type mismatch or |
34 |
> implicit function declaration (and much more) |
35 |
|
36 |
No it does not. It merely turns warnings (non-fatal) emitted by the |
37 |
actual checks into errors (fatal). It does not cause any checks to be |
38 |
performed or warnings to be issued by itself. |
39 |
|
40 |
Setting or allowing a blanket -Werror therefore causes innocuous |
41 |
warnings like this: |
42 |
|
43 |
warning: format not a string literal, argument types not checked |
44 |
[-Wformat-nonliteral] |
45 |
(In other words: FIXME: I didn't check this format because it was not |
46 |
a string literal and I cannot yet resolve those into an actual format |
47 |
defined elsewhere.*) |
48 |
|
49 |
and this: |
50 |
|
51 |
# hppa2.0-unknown-linux-gnu-gcc -fstack-protector main.c |
52 |
cc1: warning: -fstack-protector not supported for this target |
53 |
|
54 |
into hilarious errors. |
55 |
|
56 |
To some those might look like succeeding security checks, but they're |
57 |
really failing sanity checks. |
58 |
|
59 |
> which may lead to serious security implications. |
60 |
> |
61 |
> So, if maintainer has enough manpower to support this flag, we |
62 |
> should allow to keep it. Of course if it will cause long-standing |
63 |
> troubles (e.g. bugs opened for a long time) QA should have power to |
64 |
> remove it or demand its removal. |
65 |
> |
66 |
> So my proposal is: |
67 |
> |
68 |
> 1) Deprecate QA policy with unconditional demand of -Werror removal. |
69 |
|
70 |
You have yet to give arguments for its removal. Like, proper and |
71 |
particular examples of where -Werror benefits everyone. So far I've |
72 |
seen only some hand-waving of the (in)security banner. |
73 |
|
74 |
Unless you meant to say that security is improved when you can't |
75 |
install the software when of -Werror prevents it from being built, |
76 |
because then you've already solved the entire problem of the software's |
77 |
purported vulnerabilities, indeed. |
78 |
|
79 |
> 2) Add to devmanual's chapter on -Werror an exception clause about |
80 |
> security-oriented software and maintainer's right to make final |
81 |
> decision. |
82 |
|
83 |
That clause will be the laughing stock of the security community. |
84 |
|
85 |
|
86 |
Regards, |
87 |
jer |
88 |
|
89 |
|
90 |
* We have plenty of bug reports already where one "security researcher" |
91 |
points out that the build fails when the former warning is triggered |
92 |
when -Werror is injected, and it might indeed look like a lurking |
93 |
security issue if it weren't for the fact that the format sanity check |
94 |
never took place. |