[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE
|
From: |
James K. Lowden |
|
Subject: |
Re: gnucobol-3.1-rc1 and -U_FORTIFY_SOURCE |
|
Date: |
Mon, 13 Jul 2020 12:52:14 -0400 |
On Sun, 12 Jul 2020 09:25:34 -0400
Jeffrey Walton <noloader@gmail.com> wrote:
> Disabling _FORTIFY_SOURCE will cause GNU Cobol to fail audits and
> acceptance testing. For example, checksec
> (https://github.com/slimm609/checksec.sh) will generate findings on
> the output artifacts.
That's impressive. My gcc manual mentions _FORTIFY_SOURCE exactly 4
times, 3 of which vaguely describe how it's affected by -O2 on Ubuntu
8.10. It never once lists which functions are checked, nor what
compile-time or run-time errors are produced.
Yet its use causes the software to fail audits and acceptance testing??
Do these same auditors and acceptors scan the source code for
#undef _FORTIFY_SOURCE
or intentional fakery to quell spurious warnings? If they do, is its
mere presence cause for rejection, or does someone analyze the source
and form some kind of reasoned judgement? Let me guess....
While it is, shall we say, "shallow" to rely on compiler settings as a
standard for software quality, your question is nevertheless well put.
It's not clear to me why _FORTIFY_SOURCE is being disabled globally.
Potentially, there's some specialized code in which it triggers
undesirable effects. Those should be isolated, so that _FORTIFY_SOURCE
can otherwise do whatever good it does.
--jkl