Actions: create a `Lint` action that catches common silent build mistakes
woodruffw opened this issue · 1 comments
woodruffw commented
This would be a nice feature advertisement for blight's functionality.
Some things we could lint for:
-DFORTIFY_SOURCE
instead of-D_FORTIFY_SOURCE
: the former is a no-op, meaning that the user's expected fortifications are not actually compiled in.-D_FORTIFY_SOURCE
without-O
or higher: fortification doesn't work with-O0
.- Flags that disable baseline mitigations (
-fno-stack-protector
,-z execstack
, others?)
H/T for @disconnect3d for the idea + initial lint ideas.
disconnect3d commented
Fwiw:
-z noexecstack
works while-z noexecstackLOL
will only say:/usr/bin/ld: warning: -z noexecstackLOL ignored.
but will pass; same for-Wl,-z,noexecstackLOL