[openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h

John Denker ssx at av8n.com
Mon Mar 14 20:23:08 UTC 2016

On 03/14/2016 12:53 PM, Salz, Rich via RT wrote:

>> In order build openssl 1.0.2g
>> 	use `make depend` when prompted -- i.e., do NOT ignore the advice
>> 	but DO ignore the 1000's of lines of output, and just proceed to
>> subsequent `make`
>> And that resultant build is considered a reliable build.
>> Is that correct?

> Yes.

How do you know it's reliable?

In particular, how do you know there is not one important 
warning hiding among the thousands of others?

To assume that "any warning must be a false warning" seems
tantamount to assuming there cannot possibly be any bugs 
in openssl.

When I'm writing code, for many many years I have treated all
warnings as fatal errors.  That applies to all my code, not
just mission-critical and security-critical code.

It's very trendy these days to use "formal methods" to increase
reliability and security.  Getting the code to compile without
warnings seems like 0.01% of a baby step in the right direction.
Conversely, training users to ignore warnings seems antisocial.
It is the opposite of good security practice. 

> In this particular case it's more trouble than it's worth.
> A future update to 1.0.2 might just remove that.

If it's not supported it should be stricken from the list
of supported features.   Conversely, if it's a supported
feature it should do the right thing.  Code that generates
thousands of warnings is not doing the right thing.

More information about the openssl-dev mailing list