Re: Enabling compiler warning flags

From: Jeffrey Walton
Subject: Re: Enabling compiler warning flags
Date: Wed, 19 Dec 2012 19:24:20 -0500

Hi Paul,

On Wed, Dec 19, 2012 at 10:47 AM, Paul Eggert <address@hidden> wrote:
> On 12/18/2012 09:55 PM, Jeffrey Walton wrote:
>> Unfortunately, the folks at Red Hat provided a "proof by counter
>> example" with the recent MySQL 0-days
> No matter what the security regime is, it will always
> break down.  Always.  The question is not whether security
> could be improved.  Security could always be improved.
> The question is whether it's worth the effort.

> Abstractly, I think Autoconf machinery to support security
> checking is a good idea, but the devil is in the details.

> One good way to help determine whether the proposed change
> to Autoconf is worth the effort is to see whether someone
> is willing to volunteer the work to make the proposed change happen,
> and to donate their change to the FSF.  Are you willing
> and able to do that?  If not, can you find someone who is?
Well, I work in the "secure software" field (whatever that's worth
given the collective failures of the security folks). I am willing to
try and help. I've been lurking on the list trying to learn (I don't
even use Autoconf - I still write my makefiles by hand).

I'm not sure how much help the FSF will be. Forgive my ignorance, but
are FSF and GNU equivalent? A couple of years ago when Savannah got
hacked (January, 2011), I sent an email asking for guidance for
projects on security related matters (broadly, secure coding guides,
data security and best practices, selection of cryptographic
algorithms, and the like). The email was sent to address@hidden (the
listed point of contact), and it opened with: "There's two points
below that GNU could address. The first is storing plain text
passwords. Second is the lack of security topics in 'GNU Coding
Standards'." I did not even get a reply.

For completeness, I don't think this is an Autoconf problem. But I was
hoping Autoconf (or other friends, such as Automake) could be part of
the solution. I am wit's end trying to figure out how to put a sizable
dent in the problem. I've been putting fires out with garden hoses,
and its not working.


