Bug#762336: Please enable hardened build flags
Since the original report and patch, the package have been orphaned, and the rules file changed in a way that make the tested patch no longer apply. I suspect something like the following untested patch might work. diff --git a/debian/rules b/debian/rules index 16aad6f..f55fc4c 100755 --- a/debian/rules +++ b/debian/rules @@ -6,6 +6,9 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + configureoptions = --bindir=/usr/sbin/ --sysconfdir=/etc/bandwidthd/ --localstatedir=/var/lib/ p_bwdstatic = bandwidthd @@ -26,7 +29,7 @@ configure-bwdstatic-stamp: cp -f /usr/share/misc/config.sub config.sub dh_autoreconf chmod +x configure - INSTALL='install --strip-program=true' dh_auto_configure -- $(configureoptions) --disable-pgsql + $(shell dpkg-buildflags --export=cmdline) INSTALL='install --strip-program=true' dh_auto_configure -- $(configureoptions) --disable-pgsql touch $@ configure-bwdpgsql: configure-bwdpgsql-stamp I do not dare to apply it without testing. -- Happy hacking Petter Reinholdtsen
Bug#762336: Please enable hardened build flags
Source: bandwidthd Version: 2.0.1+cvs20090917-7 Severity: important Tags: patch User: hardening-disc...@lists.alioth.debian.org Usertags: goal-hardening -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Please enable hardened build flags with dpkg-buildflags (patch attached). dpkg-buildflags handle noopt from DEB_BUILD_OPTIONS. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUHpHRAAoJEJmGUYuaqqClNhQP/jYNArIMFtGuoXbnZ5dS54p+ WjybNeG948asYMeLoDT86QRYl/RYiprPqXy1dNf5/zV8qoTX5i+S39X49sKbfRQE HIEzsJOqp/+PPKK0fBZ7Yf+ScTiQMiJAnvaxTtfy6kiP++OLXl/J+Zzw0AsusEwH wGe9i+zMFuH0yEB5qr9Pst2foiPmXmK+gE7mtEe4AGdTPKRFcg9JW5TZsL8b5MFC 6PxA5LnOP2MyAoxpDJKiAFS775/fihBY2ppUz86oEh1JnjX9WFsdy5QrWqoo8LfG trc9eUSIysksjSL79akyUikia6AOQr0NxxO6LDdQIjMXVgin4BcfW9pi/g5a9A4g XU4Na6H9viLfs/y5bnfHnhl5uhygy3OVWpgh+1KvdwCzWA2PBnu0zjJ+zAo8bdSb +rg5LK4KsxrLlHEsVrBud6pigLuEPxfEIXrlqlEcSwOtkCJF2E7OiaUtCZ/Ry6jI tNVFqp21C3q6ppP31QF4VJFGga4OoLdw5cQhpfA8ARiwewrcurxy3qan3Ge8khVe SMyzaKEipSehDxyySKL/5zgiXyOWTDro5Sbal+GI3LHApxMD4TlQv8YEMpKF3OuX ccQ9khGMrdD+PRJGjEmYJKVByPK+pokcTrkk9YIQLBwuy/YIuW9obLjXWV+KMGEA azkJz++xs3S+l314ZhUP =Prxd -END PGP SIGNATURE- diff -Nru bandwidthd-2.0.1+cvs20090917/debian/changelog bandwidthd-2.0.1+cvs20090917/debian/changelog --- bandwidthd-2.0.1+cvs20090917/debian/changelog 2013-07-20 18:25:40.0 +0200 +++ bandwidthd-2.0.1+cvs20090917/debian/changelog 2014-09-21 10:39:48.0 +0200 @@ -1,3 +1,10 @@ +bandwidthd (2.0.1+cvs20090917-7.1) unstable; urgency=medium + + * Non-maintainer upload. + * Use dpkg-buildflags and pass *FLAGS to configure + + -- Guillaume Delacour g...@iroqwa.org Sun, 21 Sep 2014 10:27:23 +0200 + bandwidthd (2.0.1+cvs20090917-7) unstable; urgency=low * Move php5-gd to Recommends and also recommend php5 (Closes: #717042) diff -Nru bandwidthd-2.0.1+cvs20090917/debian/rules bandwidthd-2.0.1+cvs20090917/debian/rules --- bandwidthd-2.0.1+cvs20090917/debian/rules 2013-06-14 00:41:25.0 +0200 +++ bandwidthd-2.0.1+cvs20090917/debian/rules 2014-09-21 10:28:19.0 +0200 @@ -6,6 +6,9 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + configureoptions = --prefix=/usr --bindir=/usr/sbin/ --sysconfdir=/etc/bandwidthd/ --localstatedir=/var/lib/ p_bwdstatic = bandwidthd @@ -15,17 +18,6 @@ build_bwdpgsql = debian/bandwidthd-pgsql -CFLAGS = -Wall - -ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) - CFLAGS += -g -endif - -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif @@ -41,7 +33,7 @@ cp -f /usr/share/misc/config.sub config.sub dh_autoreconf chmod +x configure - ./configure $(configureoptions) --disable-pgsql + $(shell dpkg-buildflags --export=cmdline) ./configure $(configureoptions) --disable-pgsql touch $@ configure-bwdpgsql: configure-bwdpgsql-stamp
Bug#762336: Please enable hardened build flags
Hello Guillaume Delacour! Thanks for your patch. Have you tested it? Are you sure it doesn't break things? Too many times have I been asked to enable hardening build and then again having to re-disable it again because the submitter didn't test things at all and when problems showed up the submitter went into hiding Regards, Andreas Henriksson -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#762336: Please enable hardened build flags
Le dimanche 21 septembre 2014 à 16:11 +0200, Andreas Henriksson a écrit : Hello Guillaume Delacour! Thanks for your patch. Have you tested it? Are you sure it doesn't break things? Too many times have I been asked to enable hardening build and then again having to re-disable it again because the submitter didn't test things at all and when problems showed up the submitter went into hiding I don't use bandwidthd personally, so i've just installed the generated deb with hardened flags, started the daemon, let the default configuration and wait a few minutes to see a first graph with a values. It maybe need a more long test campain to be sure everything is ok (my desktop only have one eth0 interface). I didn't see any similar issue reported before for bandwidthd (and the fix is simple to implement), this is why i've opened this bug. Regards, Andreas Henriksson -- Guillaume Delacour g...@iroqwa.org signature.asc Description: This is a digitally signed message part
Bug#762336: Please enable hardened build flags
Hi again. Thanks for the feedback! On Sun, Sep 21, 2014 at 04:27:40PM +0200, Guillaume Delacour wrote: [...] I don't use bandwidthd personally, so i've just installed the generated deb with hardened flags, started the daemon, let the default configuration and wait a few minutes to see a first graph with a values. It maybe need a more long test campain to be sure everything is ok (my desktop only have one eth0 interface). I didn't see any similar issue reported before for bandwidthd (and the fix is simple to implement), this is why i've opened this bug. [...] Great to hear you atleast did some basic testing! I'll probably wait until after the freeze/release to enable hardening though unless someone shows up and does a heroic effort on the testing side because there's just too big risk of subtle breakage and we're getting close(r) to the freeze. Regards, Andreas Henriksson -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org