fre 2013-12-06 klockan 15:06 -0500 skrev Darryl L. Pierce: > On Fri, Dec 06, 2013 at 02:27:05AM +0100, Kevin Kofler wrote: > > Michael scherer wrote: > > > Let's rather ask the contrary, why is this so much a issue to communicate > > > with upstream to fix things, and add patches ? > > > > The vast majority of those warnings are actually false positives, not > > actual > > security issues. Putting my upstream hat on, if asked to "fix" such a false > > positive, I'd do one of: > > (a) close the bug as INVALID/NOTABUG/WONTFIX or > > (b) hardcode -Wno-error=format-security -Wno-format-security in my build > > setup and close the bug as FIXED. > > Additionally, some code (like my package, qpid-cpp) uses code that's > generated by another app like Swig. We have no control over what that > code is. So enabling this as an error would be unresolvable by our > project and we'd be blocked until the Swig team decided to change their > code generation bits.
Don't use swig as an excuse not to fix things. Of all the packages I
maintain, only one was affected by this issue. That one was easily
solvable by deleting the bundled swig generated code in the sources and
have the build regenerate it with a newer swig version that doesn't
produce broken code.
My other packages once used to have quite a few of these, but since
Debian has had -Werror=format-security as the default for quite some
time now those were already fixed in order to compile on Debian. So
adding this as the default for Fedora now will not nearly be as
disruptive as it was when it was added as a default on Debian. We are
coming late to the game here.
Mattias
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
