[Privoxy-devel] 0006-enable-lots-of-diagnostics

Fabian Keil fk at fabiankeil.de
Wed Sep 6 11:51:26 CEST 2023 

Lee <ler762 at protonmail.com> wrote on 2023-09-05 at 19:45:16:

> I apologize for how long it took me to respond.

No problem.

> On Thursday, August 17th, 2023 at 7:00 AM, Fabian Keil wrote:

> > Did you write them yourself or are they copied from another
> > source in which case there may be license issues.
> 
> I mostly paraphrased the info.  And with the infamous "I Am Not A Lawyer"
> disclaimer, I expect that whatever copying/paraphrasing I've done is
> covered under fair use, so there shouldn't be any license issues.

If you mostly paraphrases the info I think it's fine, too.
If you copied something you could also add a source so it's a
proper quotation which, within limits, should be fine as well.

> > Maybe it
> > would be safer to shorten or remove the descriptions and let
> > readers who care look them up themselves in the compiler
> > documentation.
> 
> The problem I had was that the compiler documentation all too
> often didn't tell me what the flags did.  I had to look on
> wikipedia and even the gcc mailing list to figure out what
> some of those flags did/meant.  Maybe the man pages are enough
> for you -- they seem to be written more as a memory aid for
> people who already know the info but can't remember specific
> details, but for me the man pages left much to be desired.
>  Hence all the comments.

I agree that compiler documentation is often incomplete
and distributed across multiple places which include the
sources.

> > BTW, the "HardenedBSD" folks also seem to spend a lot of time on
> > "compiler flags" when the time (in my opinion) could be better
> > spend on code audits and code reviews to avoid security issues
> > like [0] and 1 etc.
> 
> I'd say that the knowledge level one needs to select compiler flags
> is _way_ less than the knowledge level one needs to do a decent code
> audit.  And a code audit applies only to the one bit of code being
> audited; selecting better compiler flags applies to all the software
> that is compiled with those flags.  So I can see why a group of unpaid
> volunteers would spend their time on "compiler flags" even if they don't
> catch all that much.  .. something, something about collecting low-hanging
> fruit.  Code audits are _hard_.

Agreed.

> So it seems a lot easier to justify spending some time picking
> compiler flags than doing a code audit.  Which leads to things
> like cppCheck or .. who was it that offered to do free automated
> code audits on open-source code?

Coverity used to allow "us" to run their proprietary scanner over
the Privoxy code but I just checked and the DNS name for the
web interface [0] no longer resolves to an IP address and
the website [1] redirects to another one [2] ...

Fabian

[0] https://scan3.coverity.com/
[1] https://www.coverity.com/
[2] https://www.synopsys.com/software-integrity.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20230906/1d99faa0/attachment.bin>

More information about the Privoxy-devel mailing list