Bug#667862: marked as done ([PATCH] pygpiv: Helping to enable hardened build flags)

[Debian Bug Tracking System]

Your message dated Fri, 18 May 2012 11:09:43 +0000
with message-id <e1svl43-0001sf...@franck.debian.org>
and subject line Bug#667862: fixed in pygpiv 2.0.0-4.1
has caused the Debian Bug report #667862,
regarding [PATCH] pygpiv: Helping to enable hardened build flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
667862: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667862
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pygpiv
Severity: normal
Tags: patch

Hi,

The hardened build flags is one of the release goals of forthcoming
Debian releases. Number of security problems in the past have been
identified in packages that hadn't been fortified. For more
information, see:

    http://lists.debian.org/debian-devel-announce/2012/02/msg00016.html
    http://lists.debian.org/debian-dpkg/2011/09/msg00013.html
    http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

See attached patch to help to migrate to hardened flags. At the same
time I fixed items reported by Lintian and upgraded the package to the
latest tools and standards version.

Thanks,
Jari


>From 4ef63ba55cee9fcce0ad0229e50284d63c73c0d0 Mon Sep 17 00:00:00 2001
From: Jari Aalto <jari.aa...@cante.net>
Date: Sat, 7 Apr 2012 09:49:19 +0300
Subject: [PATCH] harden
Organization: Private
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Signed-off-by: Jari Aalto <jari.aa...@cante.net>
---
 debian/README.source                               |   38 --------------------
 debian/changelog                                   |   11 ++++++
 debian/compat                                      |    2 +-
 debian/control                                     |    4 +-
 .../{01_python2.6.diff => 01_python2.6.patch}      |    8 +---
 ...include.diff => 02_fix_multiarch_include.patch} |    8 +---
 debian/patches/series                              |    4 +-
 debian/rules                                       |   12 ++++++-
 8 files changed, 31 insertions(+), 56 deletions(-)
 delete mode 100644 debian/README.source
 rename debian/patches/{01_python2.6.diff => 01_python2.6.patch} (69%)
 mode change 100755 => 100644
 rename debian/patches/{02_fix_multiarch_include.diff => 02_fix_multiarch_include.patch} (82%)
 mode change 100755 => 100644

diff --git a/debian/README.source b/debian/README.source
deleted file mode 100644
index fc98b3d..0000000
--- a/debian/README.source
+++ /dev/null
@@ -1,38 +0,0 @@
-This package uses dpatch to manage all modifications to the upstream
-source. Changes are stored in the source package as diffs in
-debian/patches and applied during the build.
-
-To get the fully patched source after unpacking the source package, cd
-to the root level of the source package and run:
-
-    debian/rules patch
-
-Removing a patch is as simple as removing its entry from the
-debian/patches/00list file, and please also remove the patch file
-itself.
-
-Creating a new patch is done with "dpatch-edit-patch patch XX_patchname"
-where you should replace XX with a new number and patchname with a
-descriptive shortname of the patch. You can then simply edit all the
-files your patch wants to edit, and then simply "exit 0" from the shell
-to actually create the patch file.
-
-To tweak an already existing patch, call "dpatch-edit-patch XX_patchname"
-and replace XX_patchname with the actual filename from debian/patches
-you want to use.
-
-To clean up afterwards again, "debian/rules unpatch" will do the
-work for you - or you can of course choose to call
-"fakeroot debian/rules clean" all together.
-
-
---- 
-
-this documentation is part of dpatch package, and may be used by
-packages using dpatch to comply with policy on README.source. This
-documentation is meant to be useful to users who are not proficient in
-dpatch in doing work with dpatch-based packages. Please send any
-improvements to the BTS of dpatch package.
-
-original text by Gerfried Fuchs, edited by Junichi Uekawa <dan...@debian.org>
-10 Aug 2008.
diff --git a/debian/changelog b/debian/changelog
index 5372b7f..7ed191b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+pygpiv (2.0.0-4.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Upgrade to packaging format "3.0 quilt".
+  * Convert dpatch format *.diff files into DEP3, README.source not needed.
+  * Update to Standards-Version to 3.9.3.1 and debhelper to 9.
+  * Use hardened build flags and dh_prep in rules file
+    http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
+
+ -- Jari Aalto <jari.aa...@cante.net>  Sat, 07 Apr 2012 09:29:49 +0300
+
 pygpiv (2.0.0-4) unstable; urgency=low
 
   * Repairs python dependency on hdf5.
diff --git a/debian/compat b/debian/compat
index 1e8b314..ec63514 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-6
+9
diff --git a/debian/control b/debian/control
index 22ba977..a4b8717 100644
--- a/debian/control
+++ b/debian/control
@@ -3,9 +3,9 @@ Section: python
 Priority: extra
 Maintainer: Gerber van der Graaf <gerber_gr...@users.sourceforge.net>
 X-Python-Version: >=2.7
-Standards-Version: 3.9.2
+Standards-Version: 3.9.3.1
 Homepage: http://libgpiv.sourceforge.net/pygpiv.html
-Build-Depends: debhelper (>= 6), python-all-dev (>= 2.6.6-3~),
+Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), python-all-dev (>= 2.6.6-3~),
  swig, libglib2.0-dev, libfftw3-dev, libgsl0-dev,
  libhdf5-dev (>= 1.8.8), libnetpbm10-dev, libpng-dev, libgpiv3-dev
 
diff --git a/debian/patches/01_python2.6.diff b/debian/patches/01_python2.6.patch
old mode 100755
new mode 100644
similarity index 69%
rename from debian/patches/01_python2.6.diff
rename to debian/patches/01_python2.6.patch
index a93ed6a..1ae0bc0
--- a/debian/patches/01_python2.6.diff
+++ b/debian/patches/01_python2.6.patch
@@ -1,10 +1,6 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## python2.6.dpatch by  <ger...@hamburg.upc.es>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+From: <ger...@hamburg.upc.es>
+Subject: No description.
 
-@DPATCH@
 diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pygpiv-2.0.0~/pygpiv.i pygpiv-2.0.0/pygpiv.i
 --- pygpiv-2.0.0~/pygpiv.i	2009-11-03 19:44:41.000000000 +0100
 +++ pygpiv-2.0.0/pygpiv.i	2010-03-02 15:50:22.000000000 +0100
diff --git a/debian/patches/02_fix_multiarch_include.diff b/debian/patches/02_fix_multiarch_include.patch
old mode 100755
new mode 100644
similarity index 82%
rename from debian/patches/02_fix_multiarch_include.diff
rename to debian/patches/02_fix_multiarch_include.patch
index 298daad..12a56cc
--- a/debian/patches/02_fix_multiarch_include.diff
+++ b/debian/patches/02_fix_multiarch_include.patch
@@ -1,10 +1,6 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 02_fix_multiarch_include.dpatch by Michael Terry <mte...@ubuntu.com>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Use pkg-config to find library needed for glib-2.0
+From: Michael Terry <mte...@ubuntu.com>
+Subject: Use pkg-config to find library needed for glib-2.0
 
-@DPATCH@
 diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pygpiv~/setup.py pygpiv/setup.py
 --- pygpiv~/setup.py	2011-07-05 11:19:59.000000000 -0400
 +++ pygpiv/setup.py	2011-07-05 11:20:43.348848694 -0400
diff --git a/debian/patches/series b/debian/patches/series
index ba06f05..fcc8e12 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,2 @@
-01_python2.6.diff
-02_fix_multiarch_include.diff
+01_python2.6.patch
+02_fix_multiarch_include.patch
diff --git a/debian/rules b/debian/rules
index a192652..bcb5ac6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,6 +10,14 @@
 #export DH_VERBOSE=1
 PREFIX := debian/python-gpiv/usr
 
+# NOTE: Sources wonät compile with all hardening enabled:
+# export DEB_BUILD_MAINT_OPTIONS= hardening=+all
+
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+CFLAGS	+= -Wall
+LDFLAGS += -Wl,--as-needed
 
 clean: 
 	dh_testdir
@@ -29,6 +37,8 @@ build-stamp:
 	dh_testdir
 
 	# Add here commands to compile the package.
+	CFLAGS="$(CFLAGS) $(CPPFLAGS)" \
+	LDFLAGS="$(LDFLAGS)" \
 	python ./setup.py build -b debian/python-gpiv
 	touch $@
 
@@ -36,7 +46,7 @@ build-stamp:
 install: build
 	dh_testdir
 	dh_testroot
-	dh_clean -k 
+	dh_prep 
 
 	# Add here commands to install the package into debian/pygpiv.
 	python ./setup.py install --root=debian/python-gpiv
-- 
1.7.9.1

--- End Message ---

--- Begin Message ---

Source: pygpiv
Source-Version: 2.0.0-4.1

We believe that the bug you reported is fixed in the latest version of
pygpiv, which is due to be installed in the Debian FTP archive:

pygpiv_2.0.0-4.1.debian.tar.gz
  to main/p/pygpiv/pygpiv_2.0.0-4.1.debian.tar.gz
pygpiv_2.0.0-4.1.dsc
  to main/p/pygpiv/pygpiv_2.0.0-4.1.dsc
python-gpiv_2.0.0-4.1_amd64.deb
  to main/p/pygpiv/python-gpiv_2.0.0-4.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 667...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jari Aalto <jari.aa...@cante.net> (supplier of updated pygpiv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 18 May 2012 12:06:45 +0300
Source: pygpiv
Binary: python-gpiv
Architecture: source amd64
Version: 2.0.0-4.1
Distribution: unstable
Urgency: low
Maintainer: Gerber van der Graaf <gerber_gr...@users.sourceforge.net>
Changed-By: Jari Aalto <jari.aa...@cante.net>
Description: 
 python-gpiv - wrapper of libgpiv
Closes: 667862
Changes: 
 pygpiv (2.0.0-4.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Upgrade to packaging format "3.0 quilt".
   * Convert dpatch format *.diff files into DEP3, README.source not needed.
   * Update to Standards-Version to 3.9.3.1 and debhelper to 9.
   * Use hardened build flags and dh_prep in rules file (Closes: #667862).
     http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
Checksums-Sha1: 
 189b009f2cb08af4418e4cb8b07b64fae8659028 1262 pygpiv_2.0.0-4.1.dsc
 e528952ca7503a83c25fa0d3ffe210ed0c3ecc03 3727 pygpiv_2.0.0-4.1.debian.tar.gz
 1e9c0f22964c0b1f977a152408ee5d8a28e122f0 168822 python-gpiv_2.0.0-4.1_amd64.deb
Checksums-Sha256: 
 585ecce3433e82b0147e8b7e27ac2b5bd621f0975a9c855a0358484a71592eba 1262 
pygpiv_2.0.0-4.1.dsc
 75c0e0599ec7f27c8cdc40b688673bafbbce58d5429b26aa5661f8429de7a27f 3727 
pygpiv_2.0.0-4.1.debian.tar.gz
 67dd1a8943446e5890306d4f564f7de3e80fdc88a958f3276a2033f909550c4b 168822 
python-gpiv_2.0.0-4.1_amd64.deb
Files: 
 58f7f078f1a52896e27c7c2006ba8324 1262 python extra pygpiv_2.0.0-4.1.dsc
 fbb967aff66279677fc4bece68549bc3 3727 python extra 
pygpiv_2.0.0-4.1.debian.tar.gz
 f1408cf1d6151f0a596c9a3bc82d3ee1 168822 python extra 
python-gpiv_2.0.0-4.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk+2KVEACgkQLARVQsm1XaxFCACbByAytPaDvtAHSKwYE0ocvnJn
EqoAn3ASqUk7YW/rggc5EmkGBXEcTUno
=pmEL
-----END PGP SIGNATURE-----

--- End Message ---