►
From YouTube: C/C++ Compiler Options Best Practices (March 15, 2023)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
I
can
help
to
to
take
some
notes.
Excellent,
the
best
of
my
abilities
but
I'm
also
trying
to
get
Thomas
yeah
great,
because,
due
to
your
Daylight,
Saving
I,
think
the
meeting
moved
in
our
calendar
I
just
want
to
make
sure
that
he
noticed
that
okay.
A
D
C
A
B
A
Two
documents:
we
had
initially
started
a
Google
document
as
the
working
group
very
early
in
our
history
and
that
effort
went
a
little
dormant
for
a
while
and
then
our
friends
at
Erickson
joined
us
and
helped
share
the
markdown
file
that
we
have
we're
going
to
look
at
and
that
actually
was
much
more
comprehensive
and
better
organized.
So
we
were
taking
some
steps
to
review
the
original
Google
Document
and
see
where
we
wanted
to
weave
it
into
this
more
structured
document.
A
And
then
we
had
the
grand
idea
that
hey
there
are
other
compilers
that
people
care
about,
so
I
have
looped
in
the
crew
from
Intel
and
so
hopefully
we'll
be
getting
some
similar
feedback
on
the
ICC
compiler.
And
we
just
recently
reached
out
to
our
friends
in
Redmond
and
now
we've
got
some
Microsoft
folks
and
hopefully
they
might
be
able
to
share
some
information
so
that
we
have
a
similar
set
of
recommendations
around
folks
using
the
Microsoft
compiler.
A
A
Worries
Mr
Wheeler.
D
Yeah
we
had
talked
about
this
before,
but
I
think
there
you
know
welcome
the
the
the
Microsoft
C,
compiler
and
mice's
suspicion
is
that
it
may
be
easier
to
make
that
a
separate
document
or
at
most
a
separate
appendix
just
because
syntactically
all
the
options
are
different.
I,
don't
I
think
in
many
cases
there
are
different
options.
You'd
want
to
invoke
anyway.
D
So
you
know
within
this
group
great,
it
might
be
a
lot
easier
to
maintain
as
a
pair
of
documents
just
because
of
those
you
know
of
all
those
differences.
D
That
said,
if
we
can
cross,
compare
that'd
be
cool,
but
you
know
what
the
Microsoft
compiler
has
some
option
that
doesn't
make
sense
for
anybody
else.
Well
an
option,
some
capability,
that's
different,
vice
versa
than
you
know,
then
that's
great.
A
A
Markdown
file:
do
you
want
to
look
at
the
original
working
group
document
to
see
if
there's
anything
we
want
to
salvage
out
of
there.
F
Yeah
I
agree:
I
think
it
would
be
good
to
look
at
this
original
original
Google,
Document
I,
guess
that
we
haven't
really
gotten
got
into
that
kit,
even
though
it's
been
kind
of
on
the
agenda
for
a
couple
of
calls
now.
So
maybe
it's
a
good
good
time
to
do
that.
D
Yeah,
if
I
may
I
don't
know
if
anybody
noticed,
but
there
are
a
whole
bunch
of
markdown
link,
complaints
and
I
fixed
them
all
so
yay.
D
You
know
it's
not
so
much
that
lint
fixes
are
exciting,
but
the
idea
is
to
start
with
a
relatively
clean
document,
and
then
we
can
kind
of
go
from
there.
F
D
Yeah
there's
an
odd
formatting
thing
where,
after
the
equal
sign,
there's
a
mysterious
space
I,
don't
think
it
should
be
there,
but
there
it
is
it's.
It
doesn't
mean
it
doesn't
inhibit
the
value
of
this
thing,
but
sometimes
somewhere
in
copious
free
time
or
frankly.
Somebody
else
wants
to
look
and
see
why
that
is
and
how
to
fix
that
that'd
be
awesome.
It's
a
it's!
A
minor
formatting
thing
I'd
like
to
focus
today
on
the
meat,
but
if
somebody
wants
to
go
figure
out
what
the
heck
is
causing
that
that'd
be
awesome.
B
I
have
a
related
question
to
you,
always
working
so
I
pushed
a
PR
earlier
today,
basically
just
adding
following
David's
lead
and
adding
more
links
to
the
document.
Well,
those
those
hyperlinks
quick
links
to
get
from
the
overview
table
to
the
relevant
sections.
B
First,
the
apparently
since
I
contributed
to
this
repo.
First,
the
the
linting
workflow
doesn't
start
automatically.
That
seems
to
be
a
default
thing.
Does
anybody
know
if
that
will
be
fixed
for
later
PRS,
because
right
now,
A
maintainer
needs
to
approve
that
and
then
the
second
question
is
it
was
like
how
do
we
I
know?
There
have
been
discussions
around
that
in
the
openness
and
stuff
in
general,
like
the
configuration
of
permissions
and
stuff
like
that
on
the
repos,
because
they
can't
really
add
reviewers
officially
and
all
of
that
I.
A
Yes,
we
have
a
solution,
yes
it.
That
is
the
way
it
will
be
for
the
short
term.
I
am
working
with
a
gentleman
that
is
assisting
the
LF
staff
on
fixing
git
permissions,
and
we
fixed
another
of
my
working
groups
yesterday,
vulnerability
disclosures,
a
kind
of
re-setting
things
and
I
will
encourage
him
to
look
at
the
best
practices
working
group.
Maybe
today,
if
he
has
time.
A
Helping
us
so
I'll
see
if
I
can
get
us
set
up
and
making
sure
that
George
and
Thomas
you
guys,
are
both
in
the
right
group
to
be
able
to
manage
PR's
yeah.
D
Basically,
we've
been
walking
through
the
permissions
of
the
entire
organization
trying
to
move
everything
into
groups
so
that
it's.
G
D
Easier
for
your,
you
know
you're
in
this
group.
Therefore
you
can
do
this
if
I
recall
correctly
once
and
I
may
be
wrong
about
this,
but
once
you're
permitted
once
for
the
linting
on
a
pull
request
that
continues
on
if
I
recall
correctly
seems.
B
To
be
like
that,
according
to
the
GitHub
documentation,
I
just
looked
it
up,
but
yeah,
okay,
good
yeah.
D
So
basically
you
know
it
for
for
the
first
time,
then
that
that's
going
to
be
the
case,
but
I
don't
I,
think
that's
a
you
know,
that's
a
just
the
first
time
you
do
it
and
then.
D
A
Fine,
okay,
so
yeah
I'll,
poke,
I,
don't
know
what
time
zone
Jordan's
in,
but
I
will
poke
him
asking
him
to
look
at
the
best
practices
working
group
so
that
we
can
get
everybody
where
they
need
to
be
to
be
able
to
work
more
efficiently
and
I
went
through
and
I
approved
your
pull
request.
So
it
should
be
merged.
A
A
Seems
to
be
causing
some
opportunities
with
some
of
our
submitted
PRS.
D
D
D
Yeah,
so
if
you
want.
D
Okay,
so
let's
see
here,
I
I'm
trying
to
look
at
two
things
at
once:
I
do
eventually
want
to
kind
of
walk
through
the
the
text
and
top,
but
I
don't
think
we
need
a
group
to
do
that
unless
you
really
want
to
so
maybe
we
ought
to
do
is
just
kind
of
walk
through
the
options
from
the
other
document
and
at
least
begin
the
discussion
of
seeing,
if
there's
any
options
that
should
flow
in
I.
D
Think
most
of
them
are
there,
but
there
are
some
questions
or
differences
and
we
don't
have
to
resolve
it
all
today.
D
So
if
we
look
at
the
work
at
the
current
document,
there
we've
got
wall
format
two
and
a
couple
of
things.
Oops
I
see
Randall's
hands
up.
G
I
was
talking
to
those
people
and
also
the
Gen
2
people,
some
of
which
are
on
the
Kernel
team.
There
was
a
question
if
we
want
to
like
if
this
document's
supposed
to
identify
the
already
enabled
defaults
or
the
security
options
that
need
to
be
enabled,
so
that
you
have
what
is
generally
considered
a
hardened
binary
at
when
it
comes
out,
because
a
lot
of
a
lot
of
what
we
reviewed
off
of
this
document
is
already
enabled
by
default.
F
D
No,
no,
no
I'm,
sorry
I'm,
not
being
clear
if
a
newer
version
of
GCC
has
it
on
by
default.
That
doesn't
mean
that
it's
on
by
default
in
older
versions
that.
D
Yeah,
who
I
don't
know
who
these
most
people
are
but
I'm
talking
about
you're
talking
about
the
Linux,
distros
and
I'm
thinking
about
the
iot
devices,
where
they
hope
to
start
using
the
Linux
from
14
years
ago,
someday.
G
D
Maybe
yeah
crowbe
is
going
horror,
horror
yeah
that
let's
just
say
that
iot
folks
are
not
necessarily
the
Leading
Edge
they're.
G
D
D
G
F
Yeah
so
like
maybe
maybe
I
can
I
can
sort
of
maybe
explain
what
the
rationale
was
for
me
to
pick
up
this
option
since
I've
sort
of
maybe
responsible
now
for
the
discurrence
it
and
and
and
and
we
when
we
sort
of
when
we
did
this
initial
document,
we
made
this
decision
that
we
are
not
going
to
assume
that
anything
is
default,
because
we
sort
of
have
this
situation
where
we
couldn't
like
really
rely
on
like
any
particular
GCC
version,
because
the
reality
is
that
there
are
depending
on
like
exactly
in
which
domain
you
are
working
with
some.
F
In
some
cases
you
are
sourcing
GCC
from
the
Linux
distribution,
which
is
the
target
environment.
In
some
cases,
the
target
environment
is
something
else
and
then
GCC
can
be
sourced
from
another
vendor
or
even
Mainline,
and
we
were
sort
of
looking
at
this
and
concluding
that
there
are,
depending
on
the
GCC
version
and
depending
on
where
you
Source
GCC.
This
GCC
from
the
defaults
are
different.
So
so
so
we
we
sort
of
decided
that
we're
not
going
to
assume
anything
is
by
on
default.
F
F
One
interpretation
of
what
is
security
relevant
and
but
but
yeah
like,
like
certainly
so
certainly
I,
think
there
is
like
room
for
discussion
on
what
should
be
in
this
document,
but
I
think
it's
also
like
a
little
bit
risky
to
kind
of
make
this
assumption
that,
even
though
there
is
this
notion
that
especially
like
in
the
open
source
World,
there
is
kind
of
like
a
safe,
safe
default,
but
unfortunately
it
might
be
a
little
bit
sort
of
optimistic
to
expect
that
the
entire
world
actually
has
the
latest
and
greatest
GCC
and
and
can
and
can
rely
on
that.
F
There
is
like
a
like
a
default
default
profile,
unfortunately
right,
but
but
but
that
that
goes
into
also
like
this
discussion.
That
who
is
the
sort
of
the
who
is?
Who
is
the
sort
of
the
target
audience
for
this
right?
So
I'm
sort
of
you
know,
of
course,
openly
admit
that
this
was
initially
something
that
we
started
for
internal
use
and
sort
of
the
requirements
there
might
be
different
from
what
is
beneficial
for
the
community
as
a
whole.
G
From
my
understanding,
there
are
certain
flags
that
your
software
should
compile
with.
It
goes
beyond
security
just
like
if
it
doesn't
compile
with,
for
example,
the
cxx
assertations
basically
is
considered
a
bug
at
this
point,
so
in
other
words
like
it
has
to
compile
with
those
things
now
as
far
as
fortifications.
The
reason
for
the
question
is
because,
as
I
said,
most
software
should
compile
with
sportifications
too,
is
generally
accepted,
that,
if
it
doesn't
compile
with
fortifications
too,
you
have
a
bug
in
the
next
six
months.
G
From
a
security
standpoint,
there's
they've
been
testing
out
using
fortifications,
three
and
I
know
within
the
next
six
months
to
a
year.
That's
going
to
be
the
recommendation.
I
know
that
that
might
not
be
the
default,
but
I
know
that's.
What
currently
is
like
if
you're
looking
for
like
security
recommendations
according
to
them
they're
already
recommending
for
fortify
sources,
three
okay.
C
Oh
yeah,
so
the
work
conversation
about
compiler
version
you
know
make
me
wonder
and
and
about
fortification,
makes
me
water
if
we
really
want
to
cover
all
existing
versions
of
GCC
fortification.
3
was
introduced
only
a
year
ago
and
GCC
maintains
three.
You
know,
maintains
three
versions:
three
branches.
So
what
are
we
aiming
for?
C
Are
we
aiming
for
the
ones
that
are
actually
maintain
or
the
ones
that
are
known
to
like
the
bugs
and
it
the
flaws
are
known
to
community
will
change
and
what
is
the
target
audience
here?
So
jn2,
for
example,
has
been
you
know,
building
the
entire
distro
for
fortification,
3
and
finding
a
lot
of
bugs,
including
bugs,
and
they
would
like
to
push
the
community
in
that
direction.
So
is
that
something
we
want
to
encourage
or
just
hold
back
so
I
think
you
know
in
my
personal
opinion,
I
think
it
will.
C
D
I
have
a
comment
but
I
think
sadish
is
ahead
of
me.
He
is.
E
Right
so
I
I!
Actually,
can
you
hear
me?
Yes,
we
can
perfect
thanks.
I'm
sorry
I
did
not
introduce
myself
earlier,
because
I
was
driving,
but
I
I
work
at
Red,
Hat
I
built
into
security
so
and
I've
I'm,
one
of
the
I,
am
the
author
of
453.
E
So
I'll
address
the
45
Source
three
question
a
little
bit
later,
but
I
wanted
to
first
talk
about
the
GCC,
build
flags
and
and
how
they
get
handled
in
the
distribution,
because
it's
a
little
bit
more
nuanced
than
what
has
been
suggested.
E
So
there
are
a
lot
of
flags
that
get
default,
get
enabled
by
default
in
our
security
Flags,
but
then
they're
enabled
by
default
for
distribution
bits
which
is
to
build
packages
if
you're,
if
you're
using
GCC
in
your
application,
it
may
not
necessarily
have
all
of
those
flags
enabled
like,
for
example,
in
Ubuntu.
You
have
pie
enabled
by
default,
but
on
Fedora,
that's
not
the
case,
so
you'll
probably
get
paid
default
on
Ubuntu,
but
not
45.
E
Source
again,
you
need
to
explicitly
pass
that
flag
to
to
kind
of
make
make
that
available
or
to
build
your
application,
but
so
I
think
in
that
context,
all
of
these
flags
are
relevant
in
the
sense
that
all
the
end
user
application
developers
will
want
to
know
what
flags
to
enable
in
their
application
to
to
build
their
application.
E
As
far
as
distributions
are
concerned,
distributions
have
their
own
thing
yeah
and
in
that
kind
of
ecosystem,
you
can
say
that
they're
fairly
evolved
in
in
terms
of
what
kind
of
distribution
flags
that
they
wanna,
what
kind
of
security
Flags
they
want
to
enable
them
in
their
distribution,
so
that
was
that
was
about
compiler
flags
and
about
fortification.
It
is
true
that
we're
trying
to
push
fortify
Source
three
in
in
multiple
distributions,
I
think
open
scissor
was
the
first
to
build.
The
entire
distribution
with
45
S3
by
default.
E
Federal
is
doing
that
for
federal
38
and
so
far
we
haven't
found
a
lot
of
issues,
but
then
one
of
the
problems
with
fortify
stores
in
general-
and
this
is
not
just
limited
three-
is
that
it
it.
It
behaves
a
little
oddly
like
Savage,
especially
Flex
arrays,
that
were
done
like
in
in
the
old
way,
where
you,
you
kind
of
just
tag,
an
array
at
the
end
of
the
struct
and
expect
the
compiler
to
to
be
able
to
handle
it,
and
because
of
that
there
are
some
applications.
E
Some
popular
applications
that
can
disabled
for
the
vessels
like
Vim,
for
example,
is
one
of
those
Vim
does
not
build
with
fortify
Source,
enabled
it
explicitly
disables
Spotify
source.
So
there's
there
are
those
issues
that
we're
trying
to
deal
with
in
GCC,
King
Zhao
from
Oracle
is,
is
trying
to
improve
the
way
the
compiler
works
with
flex
arrays,
and
then
we
have.
E
E
D
Excellent
David,
if
I'm,
if
I
may
I,
have
a
comment
and
I
think
it's
we're
moving
smartly
on
to
some
changes
to
the
document,
because
I
think
this
is.
This
is
not
just
a
discussion.
It's
important
one
I
view
their
their
being
three
at
least
three
major
groups
that
might
use
this
document.
The
group
that
probably
will
use
this,
the
least
are
the
Linux
distributions
I
mean
if
we
can
make
it
helpful
for
them.
D
That
would
be
awesome
and
I
think
we
can
make
it
helpful
for
them,
but
a
little
more
indirectly.
You
know
most
of
the
major
links
districts
already
have
a
pretty
refined
set
of
flags.
They
they
care
about
them
a
lot,
but
the
problem
for
the
Linux
just
grows,
as
was
just
mentioned,
is
that
the
application
developers
often
don't
use
those
flags
when
they
write
their
code.
So
the
Vim
is
not
trying
to
be
evil
and
malicious.
D
Vim
is,
you
know,
wrote
some
code
that
works
under
their
compiler
options
and
that's
how
they
test
and
then
the
Linux
just
goes
get
the
joys
of
trying
to
deal
with
that,
and
so
the
second
users
group
of
users
is
really
the
folks
who
are
developing
applications.
You
know
open
source
applications
because
we
want
them
to
test
with
all
these
option.
D
Flags
and
the
final
group
in
Randall
there's
a
terminology
thing
that
I'm
using,
but
you
may
not
be
noticing,
there's
the
Linux
community
and
there's
the
Linux,
Distributors
and
or
List
distributor
communities
and
those
aren't
the
same
thing.
There's
a
huge
number
of
iot
devices
where
they
recompile
Linux
kernel.
They
aren't
Linux
distributions
in
the
sense
of
a
fedora
or
red
hat,
Enterprise
Linux
or
a
Gen
2,
or
a
Debian
or
or
Ubuntu,
but
they
sure,
as
heck
compiled
with
an
external.
D
They
compile
lots
of
other
things
and
it's
whatever
the
default
in
their
old
compiler
is
I
agree.
We
can't
support
compilers
back
to
the
beginning
of
time,
but
I
think
we
ought
to
be
a
little
more
flexible
in
terms
of
the
compiler
range
used,
because
you
know
we
should
absolutely
if
you've
got
the
current
compiler,
here's
the
flags
you
should
use.
If
you
don't
have
the
current
version
of
a
compiler
because
say
your
application
doesn't
compile
that
way.
We
should
support
several
versions
back
because
that's
you
know
we
can.
D
So
let
me
let
me
give
a.
For
instance:
we've
been
talking
about
fortify
source.
The
current
document
says
fortify
Source
One
for
strictly
compiled
time,
Source
fortified
Source
2
for
runtime
protection,
I.
Think,
for
the
run
time,
we
should
recommend
fortify
Source
three,
where
you
can
and
then
note
that
you
may
need
to
back
off
and
then
the
details
explaining
the
back
off
and
rationale
and
by
the
way,
I.
D
Don't
think
that
that's
really
clear
in,
for
example,
the
GCC
Pages
at
least
the
main
page,
why
you
might
need
to
back
it
off.
So
I
think,
and
what
this
would
do
is
for
example,
for
all
the
lyrics,
Just
girls
say:
hey
Vim,
you
know
run
your
test
this
way
and
the
Vim
folks
will
go
ack,
it
doesn't
work
and
the
discards
will
say
right
and
it
will
help
all
the
folks
Downstream,
because
Upstream
folks
will
test
it
with
the
the
better
Op
with
the
Stronger
options.
B
Yeah,
unfortunately,
David
covered
most
of
what
I
wanted
to
say:
Obviously
yeah
now
I
think
the
the
three
categories
are
really
nice,
because,
basically,
what
I
wanted
to
say
is
even
though,
if
there's
a
default
profile,
I
think
the
it
does
make
sense
to
spell
out
explicitly
all
the
options
we
consider
to
be
important
for
various
reasons
and
then
David
kind
of
carved
out
these
different
use
cases
so
like
coming
back
to
the
original.
It's
a
question
from
Randall
I
wasn't
really
sure.
B
If
that's
if
there
was
considered
to
be
a
problem
or
not,
if
some
of
those
options
are
enabled
by
default,
because
I
wouldn't
consider
it
a
problem,
really
I
would
still
cover
them
in
the
document,
if
not
not
just
for
educational
purposes,
but
for
the
follow.
The
the
reasons
David
mentioned.
So
just
basically
wanted
to
to
add
my
two
cents
to
that
discussion.
F
Yeah
I
I
also
agree
with
you
David
that
I
think
that
this
would
be
a
Black
Version.
I
think
that
this
would
be
the
best
way
to
go
to
try
to
try
to
cover
like
each
of
these
variants,
and-
and
this
is
like
I-
think
that
we've
sort
of
established
this
that
this
this
is
sort
of
clearly
like
a
clearly
Omission.
The
45,
Source,
three
and
and
I
I.
F
Think
that,
like
the
way
to
deal
with
this
most,
sadly,
is
that
when
we
have
like
these
specific
sections
that
have
like
the
more
detailed
description
of
the
option,
we
can
cover
like
each
of
these
variants.
F
In
that
and
then
in
this
overall
table
of
the
recommended
options,
we
can
bump
that
up
to
45,
45,
Source,
three
and
and
that
can
somehow
like
represent
sort
of
the
latest
and
latest
and
greatest
of
or
or
what
these
sort
of
are
our
understanding
of
the
of
the
latest
and
greatest
and
and
then
maybe
like
a
little
bit
from
I'd
like
to
also
like
add
to
this
discussion
on
like
the
the
versioning.
So
I
I
would
also
not
want
to
sort
of
try
to
cover.
F
Like
a
specific
you
know,
these
are
the
specific
options
you
need
if
you
have
like
an
aegiso
GCC.
But
what
we
try
to
do
is
that
at
least
give
her
like
an
idea
of
that.
If
you're
working
with
an
older
GCC
like
what
options,
can
you
look
at
right
and
and
maybe
like
the
columns
here-
are
actually
might
be
a
little
bit
misnamed
right?
F
So
sometimes
sometimes
the
choice
of
words
can
be
can
be
a
little
bit
a
little
bit
misleading,
but
yeah
I
think
that
there
is
kind
of
like
a
good
rationale
for
for
trying
to
keep
like
the
recommended
table
to
represent
some
somehow
this
latest
and
latest
and
greatest,
but
also
I,
think
that
that
should
be
like
the
latest
and
greatest
like,
regardless
of
what
the
distributions
actually
are
doing
because,
like
I'll
use,
as
you
also
pointed
out,
David
distributions
have
their
corresponding
documents
and,
if
you're
interested
in
what
they're
doing,
it's
maybe
better,
just
to
read
their
documents.
A
G
I
was
gonna,
add
I,
agree
with
everything
you
said
and
but
David
in
an
ideal
world
that
would
work,
but
in
reality
most
people
do
use
DB
and
like
in
their
pipelines
and
they
just
install
GCC
from
there.
So
I've
I've.
G
D
G
Come
to
mind,
but
I
mean
generally
from
what
I
see
in
people's
pipelines.
They
don't
have
Flags.
They
just
have
input
output,
download
from
Debian
input
output
it
compiled
test
pass.
The
vast
majority
of
projects
go
like
that.
They
don't
actually
have
a
set
of
flags
they
compile
with.
If
not,
that
would
help
the
Gen
2
project
tremendously,
but
most
projects
don't
have
that.
G
D
Not
sure
about
most
majority
that,
though,
there's
always
dangerous
things
to
to
do,
but
so
the
the
issue
that
you're
saying,
though,
is
that
a
lot
of
folks
just
say:
hey
Debian,
compile
this
and
no.
G
What
I'm
saying
is
that
most
people
don't
have
a
recommended
set
of
flags.
You
can
ask
them,
but
in
my
years
of
being
in
Gen
2,
it's
been
a
handful
of
times
that
I
can
actually
remember
that
a
project
has
oh,
these
are
the
flags,
you
recommend,
and
these
are
the
flags
we
compile
with
or
that
we
even
test
with
most
of
the
time.
It's
a
lot
more
primitive
than
that.
G
G
D
All
right,
so
so,
let's
talk
about
specifics
because
we
it's
one
of
the
it's
the
it's
the
first
one
on
the
recommended
runtime
protections
it
fortify
Source,
two
and
I
think
this
is
where
it
immediately
comes
to
a
head
and
I
think
this
is
where,
instead
of
just
looking
at
the
existing
document,
we
can
go
beyond
I
think
it
would
be
wise
for
us
to
to
recommend
fortify
Source
three
as
the
recommendation
at
the
top
level
and
the
in
the
more
details.
D
Note
hey
you
sometimes
can't
do
that
and
the
details
explain
why
explain
your
Alternatives,
but
you
know
basically
trying
to
give
the
here's
the
top
of
the
line
best
part.
You
know
strongest
possible
and
then
backing
off
in
the
details,
noting
that
that
you
may
not
be
able
to
enable
that
for
a
variety
of
reasons
in
your
circumstance,
and
that
enables
us
to
give
the
latest
and
greatest
advice,
but
also
back
off
to
what
some
folks
may
be
able
to
do
in
their
circumstance,
thoughts.
F
I
think
it
sounds
good.
I
I
would
also
like
to
add
this
note
about
the
flex
array
that
c
Dash
pointed
out
I
think
that
we
are
missing.
We
are
missing
that
in
this,
when,
when
not
to
use
when
not
the
use
section.
E
I
can
I
can
probably
help
flesh
out
the
45
Source
section.
D
That'd
be
great
yeah
if
you
can
just
make
a
pull
request
specifically
on
that
I
guess
what
I
have
in
mind
is
at
the
top.
It
says
you
know:
Flex
Source
3
requires
I,
think
O2
in
that
one
you
know,
and
then
in
the
text
it
notes
you
know.
Sometimes
you
can't
do
this
and
the
details
it,
but
it
gives
the
details
in
terms
of
well
three
showed
up
here.
Two
showed
up
there.
D
E
E
Something
like
that,
oh
yeah,
I'll,
I'll,
other
compilers
is
yeah.
Other
compilancers.
D
And
and
that's
going
to
be
a
legitimate
issue,
we're
going
to
see
I
think
over
and
over
again
really,
you
know
other
compilers,
older
compilers
in
order
to
syntactically
support
them,
you
may
need
to
do
some
weirdness
would.
G
F
Yeah
I,
like
from
my
side
I,
would
be
especially
interested
in
if
there
are
like
you
know,
specific
programming
constructs
that
you
can
point
at
that
are
that
are
problematic,
like
this
Flex
arrays,
because
I
think
that
that
would
make
it
a
little
bit
more
general
purpose
right.
F
So
so,
if
those,
if,
if
those
link
links,
help
help
help
to
actually
get
an
idea
of
what
are
the
problematic
constructs,
then
I
think
those
would
be.
This
would
be
helpful.
A
C
Sorry
yeah,
so
you
know
that
remark
just
made
me
wonder
and
and
what
siddish
was
saying
earlier
so
flexor
is
a
part
of
this
General
constructive
variable
length
array
of
whatever
modify
array
that
were
introduced
in
in
c99
then
were
made
optional
in
C11,
precisely
because
of
security
issues,
and
then
we
are
talking
about
hey.
Should
we
have
the
example
of
patterns
of
codes
that
are
problematic
and
so
forth?
So
that
makes
me
wonder
if
we
actually
want
to
say
something
recommended
guest
in
general.
C
The
use
of
variable
length,
arrays
or
if
we
just
want
it,
to
be
fortified
for
them
to
to
sort
out.
D
So
if
that
doesn't
affect
options,
I
think
we
can
say
no.
However,
it
will
be
shocking
if
some
option
didn't
affect
them,
so
I
I,
guess
since
this
document's
about
compiler
options,
I
guess
I
would
shoehorn
that
discussion
into
whichever
option
is
being
affected
by
that
particular
issue.
If
that
makes
any
sense,
yeah.
C
A
And
we
also
have
the
option
I
agree.
We
should
stay
on
point
about
documenting
the
options
with
this
artifact,
but
if
we
stumble
across
other
useful
things,
we
have
other
means
whether
it's
a
a
supplementary
supporting
document
a
Blog.
We
have
other
means
to
share
this
kind
of
good
practice.
Information
outside
of
kind
of
our
Focus
here
of
documenting
these
options,.
D
I
actually
wanted
to
comment
on
Randall's
comment.
You
know
we,
we
don't
want
to
create
a
list
of
here's
all
the
packages
of
programs
that
today
don't
work
with
some
option.
I
mean
presumably
those
particular
programs
either
already
know
it
or
will.
But
you
know,
hey
Vim
doesn't
compile
with
this
option,
I
mean
that's
I,
don't
think
we
want
to
try
to
say
that
you
know
collect
all
the
programs
that
don't
work
with
some
flag,
but
what
I
do
think
and
absolutely
would
be
vital.
D
We're
mentioning
Randall's
option
offer
of
links
is
specific.
Examples
of
this
construct
doesn't
work
citation
this
construct
doesn't
work,
citation
and
now,
instead
of
this
highly
abstract.
What
do
you
mean
it's
pointing
to
the
real
world
and
I?
Think
that's
where
those
kinds
of
links
are
absolutely
invaluable.
G
D
Indeed,
yeah,
but
it's,
but
it's
not
so
much
for
because
hey
there's
a
problem
with
Vim.
It's
because
this
gives
the
real
world
example
of
where
this
is
a
problem
where
you
want
to
pack
off
or
where
it's
a
significant
change,
and
why
it's
a.
F
Good
yeah,
I,
I
I
think
also
that
I
I
agree
with
this
and
I
I
think
that
we
should
also
be
a
little
bit
careful
not
to
sort
of
make
it
kind
of
the
possibility
to
appear
to
have
like
any
kind
of
like
name
and
shaming
of
like
specific
packages,
because
I
don't
think
that
that's
that
that's
the
intent
but
but
again
like
if
it's,
if,
if
there
is
like
helpful,
a
helpful
sort
of
rational
for
for
and
and
especially
like
it
like
more
of
this
like
this
is
like
a
case
study
of
right,
where
someone
might
have
run
into
like
issues
with
this
and
why
they
are
running
into
it.
F
Then
I
think
that's.
That's.
Definitely
that's
definitely
helpful
and,
and
then
like
in,
in
terms
of
like
concrete
changes.
How
do
we
feel
about
bumping
this
fortify?
So
in
the
in
the
recommended
options
table?
How
do
we
feel
about
bumping
that
to
the
n45
source,
three
and
and
and
and
I
guess
that
that
means
also
updating
this
tldr?
That
David
added.
G
D
D
Usually
you
want
three
here's
the
reasons
for
two
you
may
need
to
drop
to
two
and
then
and
then
frankly
that
I
I
would
say
that
this
document
starts
really
pulling
becoming
ever
more
valuable
with
every
new
edition
like
that,
I
mean
it's
already
useful
now,
but
I'm
not
don't
get
me
wrong,
but
every
time
we
add
that
sort
of
do
this.
But
there
are
reasons
to
do
that
because
at
least
the
current
docs
aren't
always
so
clear
about
the
the
trade-off.
F
G
Yeah
I
was
gonna
suggest
so
I
used
to
I
used
to
really
help
out
with
the
Gen
2
lto
project,
which
was
basically
enabling
crazy
Flags,
and
we
built
this
very
good
debug
section
about
like.
If
you
go
through
this
guide
and
enable
all
the
flags,
then
these
are
the
flags
you
want
to
remove
it's
not
building
in
this
order.
So
I
would
suggest.
Maybe
a
little
section
like
that,
because
that
might
be
a
good
section
to
put
look.
G
F
Yeah
I
think
to
me
that
sounds
like
a
very
valuable
addition
and
we
already
have
at
the
end
of
the
document.
There
is
this
section
on
this
debug
information
that
is
created
like
didn't
like
really
fit
anywhere
else,
so
I
think
that
it
I
think
that
at
least
I
feel
that
that
would
be
like
in
reasonably
within
the
scope
of
this
to
add.
Like
another
section,
that
is
some.
That
is
some
kind
of
some
some
kind
of
like
aid
aid
for
debugging
yeah.
G
D
I
have
one
comment
related
to
fortify
Source
three.
It's
already
hinted
at
in
the
text
of
the
column.
If
you
read
carefully
but
I'm
thinking,
it
might
need
to
be
its
own
row
and
that's
Dash
O2.
D
The
reason
for
dash
O2
is
that
fortify
Source
three
doesn't
do
anything
unless
you
turn
on
dash
O2
or
higher,
so
it
could
be
O3.
But
you
know
I
mean
Dash
capital,
O
optimizations,
because
if
you
don't
turn
on
the
optimizations,
it
won't
detect
a
lot
of
the
problems
and
I
fear
that
if
it's
only
a
comment
in
the
compiler
flag
table,
people
won't
turn
it
on.
F
But
but
there
is,
there
is
intersection,
so
there
is
actually
like
this.
If
you
read
about
halfway
through
to
benefit
from
fortify
Source
checks,
the
following
requirements
must
be
Emit
and
the
first
requirement
application
must
be
built
with
o1,
optimizations
or
higher,
which
I
think
is
the
case
for
this
45
Source
two,
but
that
should
probably
then
be
updated
to
O2
right.
E
No
it'll
it'll
work
with
with
o1
for
the
vessels
three
yeah,
it's
just
that
it
won't
be
as
effective.
D
D
So
so,
even
for
ourselves,
we
have
to
be
careful
about
this
yeah.
F
I
I
can
add,
I'll,
add
O2.
Let's
say:
I
had
O2
there
yeah,
which
I
think
is
the
default
but
yeah.
Let's
we
can
be
explicit
exactly.
F
G
Randall
can
I
also
suggest
maybe
like
I
know
that,
like
duplicate
Flags,
Sid
could
probably
correct
me,
but
I
know
that
duplicate
Flags
aren't
really
a
problem,
but
maybe
also
like
explaining
how
you
want
to
have
Flags
enabled
how
you
could
pull
those
up
just
to
check
if
you
got
it
from
somewhere
and
you
have
stuff
enabled-
and
you
don't
know
about
it,
that
might
be
a
useful
part
in
the
document.
I
don't
know
if
that's
in
there.
G
F
I
think
that
we
had
like
us,
we
have
like
a
little
bit
of
text
under
this
recommended
compiler
options.
So
I
think
that
we
have,
we
say
something
like
for
historical
reasons:
the
GCC,
compiler
and
being
utilities.
Upstream
projects
do
not
able
optimization
or
security
hardening
opportunities
by
default,
which
might
not
be
actually
accurate.
F
So
if,
if
you
have
better,
information,
then
feel
free
to
improve,
but
then
it
goes
on
and
says
that,
while
some
aspects
of
the
default
options
can
be
changed
when
building
gcambinities
from
source
to
defaults
used
in
the
tool
chains,
you
put
your
new
links.
Distributions
vary
and
then
there's
like
a
note
on
like
that.
These
throws
can
have
multiple
versions
of
tool
chains
with
different
defaults,
which
is
at
least
the
case
with
serious
I.
Believe
so
would
this
be
like
a
good
place
to
add
yeah.
G
To
pull
them
up,
it's
just
like
a
command
I
forget
off
the
top
of
my
head,
which
one
it
is.
But
I
know
it's
just
like:
okay
man,
you
can
pull
up
all
your
options
and
that
way
you
know
you
know.
If
you
don't
have
anything
enabled,
then
you
could
do
whatever
you
want.
You
know,
but
if
you
do,
if
you
have
things
enabled,
then
you
know,
maybe
you
have
something
enabled
that
you
didn't
know
was
enabled.
E
Just
just
a
quick
comment
on
on
duplicate
Flags
as
far
as
macros
are
concerned,
if
you
assign
a
different
value
to
a
macro
that
that
might
end
up
with
a
warning
like,
for
example,
with
45
s,
45
Source
macro,
if
the
the
distribution
tool
chain
enables
fortify
Source
by
default,
I
think
the
Gen
2
does
it
with
some
driver
hack
and
you
try
to
set
a
different
fortification
level
with
your
own
macro
in
your
application.
E
It
might
result
in
a
warning,
so
you
you
need
to
like
explicitly
undefine
the
microwave
and
redesign
it
and
then,
in
that
too,
you
have
to
kind
of
take
care
because
you
have,
you
have
intercepting
drivers
like
like
ccash,
which
tend
to
consolidate
and
then
redistribute
command
line,
arguments
to
compilers
and
I've
seen
at
least
one
occasion
where
they've
got
the
ordering
from
and
they
ended
up
undefining
professors.
That
was
a
bug
that
got
fixed
but
again,
maybe
something
to
think
about.
D
Yeah
I
I
went
I
want
to
add
one
one
proposal:
real
quick
at
least
start
discussions
on
specifics,
although
it
doesn't
matter
for
c
for
C,
plus
plus
Dash
D
g-lib
C
XX
assertions
basically
gives
you
bounce
checking
for
a
number
of
situations.
I
hear
bounce
checking
is
a
is
a
potential
issue,
so.
G
A
D
My
point,
though,
is
not:
everyone
has
enabled
it
and
that's
why
we
have
this
document,
so
so
the
the
more
we
can
get
people
to
do
that
and
upstreaming
it.
The
better
everybody's
gonna,
be
and
and
I
think
so.
G
At
some
point
in
the
guide,
are
you
gonna
recommend
people
to
open
like
if
it
doesn't
compile
with
this
option?
You
should
open
a
bug
upstream
or
is
that
something
we're
not
recommending.
G
Well,
yeah,
but
you
get
my
point
like
if,
if
like,
for
example,
you're
trying
to
compile
I,
don't
know
curl,
and
it
doesn't
work
with
certain
options
that,
because
you're
trying
to
have
a
fortified
so
or
hardened
version
of
curl
and
it
doesn't
compile
with
one
of
these
options,
are
we
going
to
recommend
people
to
go
and
actually
open
an
issue
with
curl.
F
Yeah
I
guess
Gabriel
wants
to
comment
on
this.
C
Yeah,
oh
so
I
I
wholeheartedly,
I
agree
with
leap,
cxx
assertions
that
was
actually
something
that
originated
between
my
group
and
lives
to
Jonathan
weekly
Loops
to
C,
plus
plus.
We
also,
we
absolutely
need
to
have
these
things
enabled,
for
you
know,
C
plus
applications
for
bound
checking,
and
we
have
to
do
it
in
a
way
that
has
minimal
performance
heat.
C
So
you
know
I
just
like
we
need
to
have
fortify.
You
know
three
I
think
this
is
really
fundamental.
You
know.
Ideally
it
should
be
the
language
itself,
but
you
know
here
we
are.
D
C
Your
application
doesn't
that
crashes
with
that
enable
then
it
should
be
about
a
suspect
somewhere
in
the
document.
We
say
these
best
practices,
but
I
think
we
probably
want
to
have
a
language
like
that
says:
hey
if
you
enable
these
options,
we
say
best
practices,
but
if
you
know
these
things,
they
don't
work.
Consider
them
treat
them
as
bugs.
D
I'm
going
to
make
a
a
a
pull
request
to
add
this,
and
people
can
say
whether
or
not
they
want
to
do
it.
It
sounds
like
there's
General
agreement.
It
would
be
a
good
idea
to
add
this
to
the
list.
F
Yeah
I
think
that
we
are
up
on
time.
But
do
you
have
something
quick
and
then
I
think
it's
time
to
wrap
up
I.
E
Just
I
just
quickly
wanted
to
add
that
we
actually
did
this
during
the
45
Source
three
enablement
for
Fedora,
where
we
filed
bugs
in
various
packages
that
that
broke
because
of
453,
including
system
D,
where
it
wasn't,
it
wasn't
technically
a
bug.
It
was
a
corner
case
where
it
was
basically
just
bad
programming,
practice
and
communities
were
generally
accepted.
F
Yeah
I
I
think
that
this
is,
if
you're,
if
you're
willing
to
make
a
PR
on
on
how
you
would
want
this
section
to
look
at
I.
Think
that
it
makes
sense
to
continue
this
discussion
in
in
the
comments
for
in
the
comments
for
that
PR
oud
yeah,
and
we
can-
and
we
can
maybe
pick
up
going
through
the
the
old
document
in
two
weeks
time.
F
Yeah,
okay,
your
hand
is
still
up
Gabriel,
but
where
you
that's-
okay,
okay,
but
I-
guess
that
then
it's
time
to
wrap
up
for
this
time,
but
thank
you
very
much.
Everyone
I
think
this
was
like
a
really
productive
call.
We
got
into
a
lot
of
the
nitty-gritty
technical
details.
So
thank
you
talk
to
you
all
in
two
weeks.
Thank.