Implement the %build_type_safety_c macro (#2218019)

The default remains at 0 (no change) until the corresponding Fedora
change proposal is accepted:

  <https://fedoraproject.org/wiki/Changes/GNUToolchainF39>

buildflags.md

@@ -114,6 +114,55 @@ or:
     BuildRequires: clang compiler-rt
     %endif
 
+### Controlling Type Safety
+
+The macro `%build_type_safety_c` can be set to change the C type
+safety level.  By default (value 0), all C constructs that GCC accepts
+for backwards compatibility with obsolete language standards are
+accepted during package builds.  Packages can set
+`%build_type_safety_c` to higher values to adopt future
+distribution-wide type-safety increases early.
+
+When changing the `%build_type_safety_c` level to increase it, spec
+file should use a construct like this to avoid *lowering* a future
+default:
+
+```
+%if %build_type_safety_c < 2
+%global %build_type_safety_c 2
+%endif
+```
+
+At level 1, the following additional error categories are enabled:
+
+* `-Werror=implicit-int`: Reject declarations and definitions that
+  omit a type name where one is required.  Examples are:
+  `extern int_variable;`, `extern int_returning_function (void);`,
+  and missing separate parameter type declarations in old-style
+  function definitions.
+* `-Werror=implicit-function-declaration`: Reject calls to functions
+  to undeclared functions such as `function_not_defined_anywhere ()`.
+  Previously, such expressions where we compiled as if a declaration
+  `extern int function_not_defined_anywhere ();` (a prototype-less
+  function declaration) were in scope.
+
+At level 2, the following error category is enabled in addition:
+
+* `-Werror=int-conversion`: Reject the use of integer expressions
+  where a pointer type expected, and pointer expressions where an
+  integer type is expected.  Without this option, GCC may produce an
+  executable, but often, there are failures at run time because not
+  the full 64 bits of pointers are preserved.
+
+The additional level 3 error category is:
+
+* `-Werror=incompatible-pointer-types`: An expression of one pointer
+  type is used where different pointer type is expected.  (This does
+  not cover signed/unsigned mismatches in the pointer target type.)
+
+Clang errors out on more obsolete and invalid C constructs than C, so
+the type safety is higher by default than with the GCC toolchain.
+
 ### Disable autotools compatibility patching
 
 By default, the invocation of the `%configure` macro replaces
@@ -416,6 +465,7 @@ The general (architecture-independent) build flags are:
   This can occasionally result in compilation errors. In that case,
   the best option is to rewrite the source code so that only constant
   format strings (string literals) are used.
+* Other `-Werror=` options.  See **Controlling C Type Safety**.
 * `-U_FORTIFY_SOURCE, -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3`:
   See the Source Fortification section above and the `%_fortify_level`
   override.

macros

@@ -384,12 +384,16 @@ print(result)
 %_fortify_level		3
 %_fortify_level_flags	%[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ]
 
+# This can be set to a positive integer to obtain increasing type
+# safety levels for C.  See buildflags.md.
+%build_type_safety_c 0
+
 # Some linkers default to a build-id algorithm that is not supported by rpmbuild,
 # so we need to specify the right algorithm to use.
 %_build_id_flags	-Wl,--build-id=sha1
 
 %_general_options       -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
-%_warning_options       -Wall%[%__build_for_lang_any ? " -Wno-complain-wrong-lang" : ""]%[%__build_for_lang_c + %__build_for_lang_cxx ? " -Werror=format-security" : ""]
+%_warning_options       -Wall%[%__build_for_lang_any ? " -Wno-complain-wrong-lang" : ""]%[%__build_for_lang_c + %__build_for_lang_cxx ? " -Werror=format-security" : ""]%[%__build_for_lang_c && (%build_type_safety_c >= 1) ? " -Werror=implicit-function-declaration -Werror=implicit-int" : ""]%[%__build_for_lang_c && (%build_type_safety_c >= 2) ? " -Werror=int-conversion" : ""]%[%__build_for_lang_c && (%build_type_safety_c >= 3) ? " -Werror=incompatible-pointer-types" : ""]
 %_preprocessor_defines  %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS
 
 # Common variables are no longer generated by default by gcc and clang

redhat-rpm-config.spec

@@ -4,7 +4,7 @@
 # 2) When making changes, increment the version (in baserelease) by 1.
 #    rpmdev-bumpspec and other tools update the macro below, which is used
 #    in Version: to get the desired effect.
-%global baserelease 259
+%global baserelease 260
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
@@ -254,6 +254,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
 %doc buildflags.md
 
 %changelog
+* Wed Jul  5 2023 Florian Weimer <fweimer@redhat.com> - 260-1
+- Implement the %%build_type_safety_c macro (#2218019)
+
 * Wed Jul  5 2023 Florian Weimer <fweimer@redhat.com> - 259-1
 - Filter out C, C++ build flags from Fortran build flags (#2177253)