Source fortification is a powerful tool in modern compilers.  When enabled, the compiler will inspect the code and attempt to automatically replace risky functions with safer, better-bounded versions.  Of course, the compiler can only do that if it can figure out what those bounds should be, which isn't always easy.  The developer does not get much feedback as to the success rate of this process, though.  The developer knows that they may have enabled source code fortification (-D_FORTIFY_SOURCE), but they do not get a readout on how many of their memcpy instances are now replaced with the safer memcpy_chk function, for example. This is important to the consumer because just looking to see that a good software build practice was intended does not reveal whether the practice actually improved the safety in the resulting application. That made us really curious to dig into the data on source fortification and its efficacy.