On Sun, Jun 09, 2002 at 10:40:11PM +0200, Martin v. Loewis wrote: > Torsten Knodt <[EMAIL PROTECTED]> writes: > > > thats not what I wanted to do. I think IBM and the other big users > > of this patch, will do this themselves. But I think in the meantime > > it would be a win to debian. Yes, it's mostly not a good idea to > > have features patches in the debian diff, but this would give > > security and, when I'm not wrong, wouldn't not make the compiled > > programs incompatible to normal programs. > > It probably would, because of the access to /dev/urandom. I haven't > tried, but I'm sure I could construct an application that would break > if that feature is enabled.
Easily. It will wastefully drain the entropy pool of the system, with potentially severe impact on any crypto with a legitimate need for entropy. > > That's why I suggested a separate version of gcc as an option. Like > > there are versions with and without ssl for many packages, there > > could be a gcc version with and without stack protection. If you > > think this not a good idea, I would agree to close the report. > > Anybody that wants to use this patch on a regular basis can already do > so. Anybody who wants this package only rarely won't be helped much by > a separate package, IMO. In a separate package, it would IMO increase > the maintainance overhead, and prevent that remaining problems are > found. > > I think the best use of this patch would be if someone would try to > create a complete Debian distribution with the compiler, and run the > it with to find problems in the existing packages. The set of problems > found will also help in evaluating the patch. All you need is a lot of > disk space and spare cycles. I agree. There's very little point in adding this patch, especially to a version of GCC we're trying to obsolete soon. -- Daniel Jacobowitz Carnegie Mellon University MontaVista Software Debian GNU/Linux Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
