lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 3 Jul 2009 23:53:58 +0200
From:	Floris Kraak <randakar@...il.com>
To:	Sam Ravnborg <sam@...nborg.org>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-kbuild <linux-kbuild@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	WANG Cong <amwang@...hat.com>,
	Jaswinder Singh Rajput <jaswinderrajput@...il.com>,
	Pekka Enberg <penberg@...helsinki.fi>,
	Frans Pop <elendil@...net.nl>, maximilian attems <max@...o.at>,
	Tim Abbott <tabbott@...lice.com>,
	Paul Mundt <lethal@...ux-sh.org>
Subject: Re: [GIT] kbuild fixes

On Fri, Jul 3, 2009 at 11:43 PM, Sam Ravnborg<sam@...nborg.org> wrote:
>
> - disabling of -Wformat-security
>  We looked at it and 'fixing' the warnings was not pleasant

The alternative is roughly 136 'trivial' patches to shut them all up*
and one to turn this flag on unconditionally to prevent hackers from
adding more of them after that ;-)

The alternative to *that* is improving on this silly flag:
- Either finding some way to teach GCC how to not emit warnings about
usage that is entirely sane.
- Or finding some way to teach some other build tool to catch unsafe
usage without polluting the build with false positives.

Take your pick.

*) While I can't give you 100% certainty about every warning I know
for a fact the vast majority of the warnings at least consists of
false positives so there'd be no other benefit from them except a
quieter kernel build on certain distro's ;-)

Regards,
Floris
---
'Or lawyers may say, “But if I decline, someone else will do it. So
what is gained?” My reply: “Let someone else do it. But not you. Honor
is personal. Worry about yourself.  You don’t get a pass from moral
responsibility because you acted for a client.”

That’s the first lesson I would offer, aimed at lawyers. A second
lesson, aimed at all, is this: Keep ready your capacity for outrage.
This is very important. Next to the vote, outrage is the one response
each of us can contribute. Outrage is how honor must confront
dishonor. If we lose the capacity for outrage, we are in serious
trouble. '
   --- Stephen Gillers
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ