Your message dated Tue, 04 Nov 2025 22:53:49 +0000
with message-id <[email protected]>
and subject line Bug#1119509: fixed in obitools 3.0.1~b26+dfsg-5
has caused the Debian Bug report #1119509,
regarding obitools: please build using the default build flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119509
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: obitools
Version: 3.0.1~b26+dfsg-4
User: [email protected]
Usertags: hardening-buildflags
obitools is not currently using the default build flags set by
dpkg-buildflags(1).
The default flags are chosen for multiple reasons including security,
performance, reproducibility, adherence to standards, and error handling.
Please make sure that obitools builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.
In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
obitools, the flags are either ignored or overridden.
The most common reasons for this are:
Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles
Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.
In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":
set(CMAKE_CXX_FLAGS "-O2")
If the intention is to append to CXXFLAGS, one should use the following
instead:
set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")
See #655870 for a similar autotools example.
Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags
Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).
Others attempt to append to the variables, but end up accidentally
overriding the defaults:
#!/usr/bin/make -f
export CFLAGS += -pipe -fPIC -Wall
%:
dh $@
Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).
For a detailed analysis of this issue, see:
https://people.debian.org/~ema/nocflags_paper.pdf (eprint: hal-05334704)
--- End Message ---
--- Begin Message ---
Source: obitools
Source-Version: 3.0.1~b26+dfsg-5
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
obitools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated obitools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Nov 2025 23:20:25 +0100
Source: obitools
Architecture: source
Version: 3.0.1~b26+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1047870 1119509 1119752
Changes:
obitools (3.0.1~b26+dfsg-5) unstable; urgency=medium
.
* Team upload.
* cython3.patch: fix build failure with cython3. (Closes: #1119752)
* cflags.patch: new: propagate missing CFLAGS. (Closes: #1119509)
* d/{clean,rules}: repair the "clean" target. (Closes: #1047870)
* d/triggers: new: ensure ldconfig execution after install.
* no_cython_in_binary_package.patch: dep3 header.
* d/watch: convert to v5 PyPI project scanner.
* d/control: drop redundant Rules-Requires-Root: no.
* d/control: declare compliance to standards version 4.7.2.
Checksums-Sha1:
5ab2d9537485490a50e9975a42030982fc14f093 2338 obitools_3.0.1~b26+dfsg-5.dsc
ffd30d3464fc011b1beed5c1e35a304504fd26c6 3556872
obitools_3.0.1~b26+dfsg-5.debian.tar.xz
Checksums-Sha256:
c3dffad46eb3c5813073616d7f4d3e74d157fbc6d1279f442f268ca10079e9d3 2338
obitools_3.0.1~b26+dfsg-5.dsc
6c2586e55d1238b06add627bd9019589d332e22aa25bf78985c2c45fb058fd62 3556872
obitools_3.0.1~b26+dfsg-5.debian.tar.xz
Files:
d1d4fbf084d82c253d1d293b11210f7d 2338 science optional
obitools_3.0.1~b26+dfsg-5.dsc
d56d5260d442fab59951dc2232ced855 3556872 science optional
obitools_3.0.1~b26+dfsg-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmkKfpAUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdq30g/+JUVDYtvx7H1HU4XhhQlvlA+bHfDT
5uCYXvSAk20Ae5NnZh3tt+8GxinzIFBKPAfeqFk/9S66dltw3yUIJpyAW+LEKHyE
B5ASWj8RtSA1EXwMByKucUy0Swr6kxh0E1AHv3C5s7ctPadaTzb+cnLuYs2ftzwD
E7fWSe5z5NS68YIRJBG5r/soz7XmYFicIzMqGdxqVca6T62FcMUaNKaR8GxkStw2
KBO62W+GZxtICtvgPSrq5XlfRbkSRpRMh3f9uONm+g73TaHOXVQflVR+S8483Y42
sRuqlqV8x4AdnRCnlpB3AXL+icgcWiGZNg8P4LSoh/RzzdP/apTrkXYIf2YkKrVx
0j/o3rWTMOUlw9r7oHgLZcaouaiH22WLL1yXqJuAMKDuJKYBJ4ru1frHCvzeDmzr
KGbEeUU8CBQDn2uxII2a/J5dTtPf0l0Hlq6Zf6k/9g47s+TllXWeNbey+D5y/yKE
MGDUPJlRPuISA3oNlRQeA6aMPIoWX9mXc/E+hbhUWwrN3VR9ZrAxd9le1x1q8/jR
oa5F41Yhvuj12E5+VMwFlah5OOhsTQOeD5qVtoMnaKqTml5lrQH7jdR3+QT/r8xH
FfZfkgMuBjCvwFpQL0Uj7+G2+NTIXMHicBQQTqdj5npZN3MSUQq+G5pOEPCnnywx
qDZRLnqH04LFrMg=
=SVVG
-----END PGP SIGNATURE-----
pgpRTevvrRjkd.pgp
Description: PGP signature
--- End Message ---
