On Thu, Jul 19, 2018 at 5:27 PM Jeff King <peff@xxxxxxxx> wrote: > On Thu, Jul 19, 2018 at 05:11:15PM -0400, Eric Sunshine wrote: > > On Thu, Jul 19, 2018 at 4:39 PM Jeff King <peff@xxxxxxxx> wrote: > > > + * This header lists functions that have been banned from our code base, > > > + * because they're too easy to misuse (and even if used correctly, > > > + * complicate audits). Including this header turns them into compile-time > > > + * errors. > > > > When the above talks about "including this header", the implication is > > that it must be included _after_ the system header(s) which declare > > the banned functions. I wonder if that requirement should be stated > > here explicitly. > > Hmm, does it need to be? I had originally intended it to be included > before, actually, though in the end I put it later. > I guess it would yield declarations like strcpy_is_banned(), which would > cause _different_ errors (probably link-time ones). Yes, that's what I meant. You'd only get link-time errors if banned.h was included before the system headers (assuming I'm thinking about this correctly). > > (Probably not worth a re-roll.) > > Yeah, I doubt it matters much either way, since the inclusion is done > automatically in git-compat-util.h. Exactly. > I had also originally imagined this to be triggered via DEVELOPER=1, > with something like "-include banned.h" in CFLAGS. But I think it > probably is appropriate for everybody to run it, since it shouldn't > cause any false positives or other compilation issues. Agreed. > The one I brainstormed (but forgot to mention) is that it might be > possible for a platform to have strcpy as a macro already? In which case > we'd need to #undef it or risk a compilation error (even if the macro > isn't actually used). I have some recollection (perhaps long outdated or just wrong) of Microsoft headers spewing deprecation warnings about "unsafe" functions. I don't know whether they did that by covering functions with macros or by decorating the function with a deprecation attribute or by some other mechanism, but such concern seems well-founded. #undef'ing them might indeed be a very good preventative tactic.