[oe] [meta-oe][PATCH] libwebsockets: Fix the build with -Os

Adrian Bunk bunk at stusta.de
Fri Aug 30 05:13:17 UTC 2019 

On Thu, Aug 29, 2019 at 03:09:17PM -0700, Khem Raj wrote:
> On Thu, Aug 29, 2019 at 2:23 PM Adrian Bunk <bunk at stusta.de> wrote:
> > On Thu, Aug 29, 2019 at 01:51:05PM -0700, Khem Raj wrote:
>...
> > > and better still with a patch.
> >
> > But please do not add such patches to OE.
> >
> > Patches from people who don't know the code well are often quite buggy,
> > and fixing warnings then tends to add more bugs than it fixes.
> >
> > Google "Debian OpenSSL disaster" for how the Debian maintainer "fixing"
> > a Valgrind warning in the Debian OpenSSL package made private keys used
> > for ssh authentication in Debian/Ubuntu predictable (AKA everyone on the
> > internet could log into the affected machines).
> 
> right I remember that, but then I also know first-hand cases where the
> compiler was telling you all the way and it was
> ignored which ended up in field bugs, so there is no right answer.
>...

That's a lesson for upstream, not so much for a distribution.

The worst case is when people are just doing whatever is the fastest 
code "fix" to silence a warning/error.

When the compiler is telling that the C library does not support 
FNM_EXTMATCH, then ignoring the error with
  #define FNM_EXTMATCH 0
can turn it into a field bug.

Ignoring the compile error when the C library does not support qsort_r 
by using qsort instead can create exactly the runtime race conditions 
qsort_r is designed to avoid.

Finding correct solutions can be hard and time-consuming,
especially when the person doing the change does not know
the code in question well.

But few correct fixes are better than many quick fixes that might 
introduce more bugs than they fix.

And there is also a blame game involved:
If upstream software contains bugs, the blame goes to upstream.
If distribution patches introduce bugs, the blame goes to the
distribution.
Heartbleed was even worse than the above mentioned bug, but noone
could blame Debian for it.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Openembedded-devel mailing list