FORTIFY build failures (was: Re: [ubuntu/jaunty] conntrack 1:0.9.7-1.1ubuntu1 (Accepted))
Kees Cook
kees at outflux.net
Mon Nov 24 16:42:39 GMT 2008
Hi,
On Mon, Nov 24, 2008 at 02:11:59AM +0000, James Westby wrote:
> On Sun, 2008-11-23 at 17:47 -0800, Kees Cook wrote:
> > Well, as you say, it's always different. The way I've tended to triage
> > them is:
>
> This is good advice, do you think it should go on the wiki page?
Probably -- I'm not sure how it should be incorporated, though. The
CompilerFlags page currently has a case-by-case analysis of each kind of
warning the flags might throw. What do you think would make a readable
arrangement? I was pondering a separate page for triage, or maybe just a
stand-alone section on the page?
> Ah, there are runtime protections as well as code checks, now I see the
> point.
Right -- it basically replaces sprintf with snprintf, strcpy with strncpy,
and wraps things like 'read'. There are some situations (like the use of
"extern") that can't be checked at compile-time, etc.
-Kees
--
Kees Cook @outflux.net
More information about the ubuntu-devel
mailing list