[OTR-dev] 4.0.0-rc3 ready to roll. Please try it out!

Greg Troxel gdt at ir.bbn.com
Mon Sep 3 19:40:54 EDT 2012

Ian Goldberg <ian at cypherpunks.ca> writes:

> On Mon, Sep 03, 2012 at 06:40:08PM -0400, Greg Troxel wrote:
>> Ian Goldberg <ian at cypherpunks.ca> writes:
>> > OK, then I guess the thing to do is just to turn off hardening for that
>> > build environment?  [I believe the hardening is only actually enabled
>> > when -O2 is on, regardless of whether the compiler options are specified
>> > or not, so turning it to -O1 or -O0 will also turn off hardening, so you
>> > may as well just turn off the hardening and leave it at -O2.]
>> I was going to leave on SSP and use -O1, but if SSP really needs -O2, I
>> might as well use -O2 and no SSP.
> That's my understanding.

I'll look into this more; probably when libotr is really released and I
update - then I can point people to it easily.

>> I plan to just do that for all of
>> pkgsrc to start; it doesn't seem that harmful (or -O1 didn't).
>> There's still a tiny chance there's something sick going on where the
>> code is buggy and with SSP things can be proved to always overwrite so
>> it just returns, and thus the compiler is right.  But I'll give that
>> only 2 in 10^4, esp. since I'd expect an abort if SSP triggers.
> If that were the case, I'd expect later versions of gcc to behave the
> same way, though?  Well, I guess not necessarily.  But if gcc 4.1.3 is
> _correctly_ optimizing away a good chunk of the whole function, then
> something is wrong in the common case, and valgrind would have reported
> it, I'd think?

Yes, that's why I am giving that scenario (buggy code, defensible gcc)
vanishingly small odds.

It would be really nice to have a test case run with make check.
Perhaps just creating two contexts and having them communicate and see
if it ends up with transferred plaintext.   Then it's much easier to
test this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20120903/4e5c1ba4/attachment.pgp>

More information about the OTR-dev mailing list