Re: RFE: macro for warning at configure-time if CFLAGS includes -Werror

[Jeffrey Walton]

On Wed, Sep 19, 2012 at 5:22 PM, Russ Allbery <address@hidden> wrote:
> Jeffrey Walton <address@hidden> writes:
>
>> As a dumb user, I want to use a cookbook. That means I want to do a:
>
>>    ./configure CFLAGS="-Wall -Wextra ...."
>
>> I don't want to have to learn how to use autoconf, automake, and make.
>> I don't want to subscribe to mailing list to make things work. I just
>> want it to work as expected.
>
> If you're an end user following a cookbook, you probably should not be
> overriding the decisions of the package maintainer and adding additional
> warning flags.  Warning flags are useful for more sophisticated users to
> detect possible bugs in the software.  Users who are just following
> cookbooks and who aren't prepared to debug the software are not going to
> gain anything useful by enabling a bunch of optional warnings, let alone
> trying to use -Werror.
Good point Russ.

I would like to leave it alone. But *every* FOSS project I've seen
(and *all* closed source security audits I've performed) neglect the
security related stuff. That means I have to act because the supply
chain in under my purview - I have no choice.

Here's the latest example of high integrity software failing the
CompSci 101 stuff. But its not limited to high-integrity software (the
problem is pandemic): "FreeRADIUS​: Stack Overflow in TLS-based EAP
Methods," http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3547.

In the above example, at least three measures could have been taken to
avoid or lessen the problem. If you look at the project's default
setup, you will see the development team chooose none of them. In this
case, it was not the development team making a careful choice. It was
as oversight (as I said, the "awareness problem" is pandemic).

Jeff