Hi, On Thu, 28 Jul 2011, Kees Cook wrote: > Oh, I've thought of one additional detail in making these defaults. > "-Werror=format-security" was only recently added, and this will likely > cause a fair level of FTBFS from some packages. This is not one of the gcc > defaults used in Ubuntu. It was added to hardening-includes because h-i has > effectively been a low-volume opt-in build-dep. > > Since switching to dpkg-buildflags is also opt-in, it probably shouldn't > hurt too much, but I have never attempted an archive-wide rebuild with > -Werror=format-security added to the hardening flags.
It's not opt-in for all packages, any package using "dh" and CDBS is already using dpkg-buildflags... so we should definitely get some statistics before deciding to keep this by default. Can you do the work of collecting those statistics? Tollef has access to a big machine where building all package takes 14h. Roger Leigh used it for that kind of research. Maybe you can do the rebuild without -Werror=format-security and just grep the log to find out those that would fail. Cheers, -- Raphaël Hertzog ◈ Debian Developer Follow my Debian News ▶ http://RaphaelHertzog.com (English) ▶ http://RaphaelHertzog.fr (Français) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
