In gcc-4.3.3, -D_FORTIFY_SOURCE=2 and -Wformat-is added automagically to C[XX]FLAGS - Please file a NEW bug for each package affected by this change and make it BLOCK this one. - Do NOT use this bug for issues with >=GCC 4.3.3 itself. File a new bug and assign it to toolchain. Hardened has already done this for some time, so a few bugs have been moved from the gcc-4.3 tracker to this one to keep better track of things.
any package broken by -Wformat-security is broken regardless ... no package should be building with -Werror and afaik, that's the only way to trigger a failure with that
*** Bug 260236 has been marked as a duplicate of this bug. ***
*** Bug 347267 has been marked as a duplicate of this bug. ***
i don't think any of these format-security bugs are useful. if you want to convince upstream to make their code base nice, then that'd be great. but i see no real value in Gentoo carrying patches, and i'm inclined to start closing them as UPSTREAM.
(In reply to SpanKY from comment #4) > i don't think any of these format-security bugs are useful. if you want to > convince upstream to make their code base nice, then that'd be great. but i > see no real value in Gentoo carrying patches, and i'm inclined to start > closing them as UPSTREAM. I didn't even know this tracker was here. As Peter said, hardened has lived with this a long time without too much difficulty and I really don't want to see a bunch of patches causing an unnecessary maintenance burndon. I say, let's close these upstream and suggest using append-cppflags if necessary to change the -D_FORTIFY_SOURCE=2. As already stated -Wformat-security will just warn.
(In reply to SpanKY from comment #4) > i'm inclined to start closing them as UPSTREAM. Please go ahead. The bugspam is getting excessive and will continue as long as this bug is open.
We could add -Wformat-security to portage's post-build qa checks. This would both raise its visibility and tell people that upstream is the proper place to report any warnings to.
Gentoo carries -D_FORTIFY_SOURCE=2/-Wformat-security patches for a long while including every stable compiler. Closing thus bug. Feel free to create a separate tracker for -Werror=format-security failures. Those don't block gcc stabilization.
For completeness, as we're doing some research into when flags were enabled by default in gentoo: commit 313ace55dfacaf43ca2abdf5ef2926e44c59b399 Author: Mike Frysinger <vapier@gentoo.org> Date: Tue Jan 27 21:31:29 2009 +0000 initial 4.3.3 patchset based on last 4.3.2 patchset was the first to add 4.3.5/gentoo/10_all_gcc-default-format-security.patch to gcc-patches.git.