On Sat, Jan 12, 2019 at 11:47 AM Niels Möller nisse@lysator.liu.se wrote:
Nikos Mavrogiannopoulos nmav@redhat.com writes: ... I'm also considering adding a few more configurations to the ci, including "CC=gcc -std=c89", CPPFLAGS=-DNODEBUG and --disable-assembler. Anything I have to keep in mind (e.g., limits on builder resources?)
I recommend making folks explicitly ask for a debug build with -DNETTLE_DEBUG or similar. Don't define it in terms of "not Posix NDEBUG " or "not Nettle NODEBUG".
The typical use case is folks untar, config, and make. Eventually they want to install locally, perhaps as part of a collection of packages. Those who perform a straight release build should not have to do something special. Also, it depends on each person reading the manual and things just don't work that way in real life.
Folks who want a debug build should do something special. They will notice right away they have an optimized build missing symbols under the debugger. They will know to investigate more, like running './configure --help'.
The debug build use case also means `--with-debug` or similar that adds -DNETTLE_DEBUG or similar is probably a good idea.
If you chose to make the debug builds the default case then be sure to tell folks about it after configure runs. Also tell them the options needed to perform a release build since many folks will want a release build.
(This is the part of security engineering that offends almost everyone. You have to identify use cases and then acknowledge one as the dominant case. Then, others have to do something special and you have to tell them how to ensure they can shoot themselves in the foot, if desired).
Jeff