On Thu, Jul 19, 2018 at 05:11:15PM -0400, Eric Sunshine wrote: > On Thu, Jul 19, 2018 at 4:39 PM Jeff King <peff@xxxxxxxx> wrote: > > [...] > > Let's start by banning strcpy() and sprintf(). It's not > > impossible to use these correctly, but it's easy to do so > > incorrectly, and there's always a better option. > > [...] > > Signed-off-by: Jeff King <peff@xxxxxxxx> > > --- > > diff --git a/banned.h b/banned.h > > @@ -0,0 +1,19 @@ > > +/* > > + * This header lists functions that have been banned from our code base, > > + * because they're too easy to misuse (and even if used correctly, > > + * complicate audits). Including this header turns them into compile-time > > + * errors. > > + */ > > When the above talks about "including this header", the implication is > that it must be included _after_ the system header(s) which declare > the banned functions. I wonder if that requirement should be stated > here explicitly. Hmm, does it need to be? I had originally intended it to be included before, actually, though in the end I put it later. I guess it would yield declarations like strcpy_is_banned(), which would cause _different_ errors (probably link-time ones). > (Probably not worth a re-roll.) Yeah, I doubt it matters much either way, since the inclusion is done automatically in git-compat-util.h. I had also originally imagined this to be triggered via DEVELOPER=1, with something like "-include banned.h" in CFLAGS. But I think it probably is appropriate for everybody to run it, since it shouldn't cause any false positives or other compilation issues. The one I brainstormed (but forgot to mention) is that it might be possible for a platform to have strcpy as a macro already? In which case we'd need to #undef it or risk a compilation error (even if the macro isn't actually used). -Peff
