Am 06.12.2013 11:30, schrieb Adam Williamson: > On Fri, 2013-12-06 at 10:37 +0100, Ralf Corsepius wrote: >> On 12/05/2013 07:43 PM, Jan Lieskovsky wrote: >> >>>> From: "Ralf Corsepius" >> >>>> Would you mind to explain why you guys are putting such an emphasize on >>>> -Wformat-security? >>> >>> Some possible ways how to look at it: >>> * because when all reported packages are patched, it would remove one >>> whole class of security flaws, >> >> Iff the tools being utilized were reliable and if the findings are fixed >> by skilled people, who really understand what they are doing. >> Both does NOT APPLY in Fedora. Fedora/RH's GCC produces false diagnoses >> and the average Fedora packager is not an experienced C-developer. > > The intent is not for Fedora packagers to patch problems downstream, it > is for them to report bugs upstream and have the problems fixed there
that's fine and a perfect solution if it happens in a timly manner but what is the plan if this does not work out for a unknown number of packages because upstream is not willing or able to "fix it" or only in a later release giving that the package is not buildable at all it should at least exists a clear rule to overwrite the flag for such cases because not buildable with -Werror=format-security should not result in throw a package out of the distribution or hold back a update which may fix a *real* security relevant bug but does not build
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
