On 03/14/2016 12:53 PM, Salz, Rich via RT wrote: >> In order build openssl 1.0.2g >> >> use `make depend` when prompted -- i.e., do NOT ignore the advice >> but DO ignore the 1000's of lines of output, and just proceed to >> subsequent `make` >> >> And that resultant build is considered a reliable build. >> >> Is that correct?
> Yes. How do you know it's reliable? In particular, how do you know there is not one important warning hiding among the thousands of others? To assume that "any warning must be a false warning" seems tantamount to assuming there cannot possibly be any bugs in openssl. When I'm writing code, for many many years I have treated all warnings as fatal errors. That applies to all my code, not just mission-critical and security-critical code. It's very trendy these days to use "formal methods" to increase reliability and security. Getting the code to compile without warnings seems like 0.01% of a baby step in the right direction. Conversely, training users to ignore warnings seems antisocial. It is the opposite of good security practice. > In this particular case it's more trouble than it's worth. > > A future update to 1.0.2 might just remove that. If it's not supported it should be stricken from the list of supported features. Conversely, if it's a supported feature it should do the right thing. Code that generates thousands of warnings is not doing the right thing. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
