Source: inotify-tools Version: 3.14-4 Severity: grave Hi,
In inotify-tools 3.14-4, all the qa sanitizers were enabled in DEB_BUILD_MAINT_OPTIONS. This should not be done in production. * Many architectures do not support sanitizers. Your package FTBFS on mips* due to this. While clang supports ASan on mips, gcc does not. * The man page for dpkg-buildflags explicitly states these options should not be used in production builds and are for debugging only. * Enabling sanitizers causes an approx 2x performance penalty. * Enabling ASan changes the behavior of a program in some circumstances (mainly relating to memory management and things like LD_PRELOAD no longer work without hacks). Enabling ASan in a library package is even worse because you will impose these behavior changes on all users of your library who may not be expecting them. * ASan complains about memory leaks and these are easy to reproduce with inotify-tools. While this is very useful during development, I do not think users should be subjected to these types of bugs which are mostly harmless. Eg run inotifywait without any arguments are ASan will complain loudly. * Users of libinotifytools0 must now enable ASan themselves or use the LD_PRELOAD hack otherwise they will not start. For example, the attached simple test program fails to run with: ==19349==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD. Thanks, James
#include <inotifytools/inotifytools.h> int main(void) { inotifytools_initialize(); return 0; }
signature.asc
Description: OpenPGP digital signature