On 2012/07/13 02:37, Peter Laufenberg wrote:
> >I'd just like to point out on-list that we shouldn't be patching
> >away stpcpy everywhere, it is easy to introduce a bug in perfectly
> >correct code by doing this (as happened in some cases with strlcpy
> >patches in the ports tree), it's just that gettext is *very* commonly
> >used and the linker warning adds a lot of noise to the build logs,
> >so removing that noise is helpful here.
>
> Sorry if this is already addressed elsewhere but is there a way to browse
> ports' various "code orthodoxy" statistics such as strcpy() usage and other
> OpenBSD no-nos?
>
> I understand compiler warnings are a far cry from full-blown static code
> analysis, and that a strcpy-clean port could still be a Swiss
> security-cheese, but whatever stats would be a start. F.ex. Debian's
> comparison between Clang- and gcc-compiled kernels shows interesting patterns
> (I know their resources are vastly superior).
>
> Maybe such name-and-shame stats could help prod upstream maintainers to
> improve their code.
well it's possible ("grep -Rc warning.*dangerous .|grep -v ':0$' |
sort -n -r -k2 -t:" over a bulk build log directory) but pointless,
as this in no way indicates whether something is used correctly or not.
just as a port only using the "safe" functions could still have huge
problems, a port using the "unsafe" functions could still be using them
correctly.
