On Wed, Sep 19, 2012 at 5:22 PM, Russ Allbery <rra@xxxxxxxxxxxx> wrote: > Jeffrey Walton <noloader@xxxxxxxxx> writes: > >> As a dumb user, I want to use a cookbook. That means I want to do a: > >> ./configure CFLAGS="-Wall -Wextra ...." > >> I don't want to have to learn how to use autoconf, automake, and make. >> I don't want to subscribe to mailing list to make things work. I just >> want it to work as expected. > > If you're an end user following a cookbook, you probably should not be > overriding the decisions of the package maintainer and adding additional > warning flags. Warning flags are useful for more sophisticated users to > detect possible bugs in the software. Users who are just following > cookbooks and who aren't prepared to debug the software are not going to > gain anything useful by enabling a bunch of optional warnings, let alone > trying to use -Werror. Good point Russ. I would like to leave it alone. But *every* FOSS project I've seen (and *all* closed source security audits I've performed) neglect the security related stuff. That means I have to act because the supply chain in under my purview - I have no choice. Here's the latest example of high integrity software failing the CompSci 101 stuff. But its not limited to high-integrity software (the problem is pandemic): "FreeRADIUS: Stack Overflow in TLS-based EAP Methods," http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3547. In the above example, at least three measures could have been taken to avoid or lessen the problem. If you look at the project's default setup, you will see the development team chooose none of them. In this case, it was not the development team making a careful choice. It was as oversight (as I said, the "awareness problem" is pandemic). Jeff _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
