Package: blhc Version: 0.11-1 Severity: normal Hi,
I've been trying to fix a dpkg-buildflags-missing CPPFLAGS lintian issue in the w1retap package, the blhc output on the build log is: CPPFLAGS missing (-D_FORTIFY_SOURCE=2): libtool: link: (cd .libs && gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -c -fno-builtin "w1retapS.c") However looking at the build log snippet[0] the full command is actually a call to libtool in link mode. This libtool invocation generates a new S.c file to generate dlsyms information. Looking at the internals of a generated libtool[1], it's basing the gcc args on LTCFLAGS. When libtool is generated it bases its LTCFLAGS from CFLAGS[2]. Looking at the dpkg-buildflags hardening the -D_FORTIFY_SOURCE=2 flag is for CPPFLAGS rather than CFLAGS[3]. If I rebuild[4] adding qa=+canary to DEB_BUILD_MAINT_OPTIONS I can see that the canary CFLAGS get added to the libtool call and to the same gcc call for w1retapS.c for dlsyms generation. I suspect that blhc is erroneously reporting this. Kind Regards Tom -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500, 'unstable-debug'), (500, 'testing-debug'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: armel, armhf, i386 Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages blhc depends on: ii libdpkg-perl 1.19.7 blhc recommends no packages. blhc suggests no packages. -- debconf-show failed -- footnotes [0] /bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -m odule -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -lxml2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -Wl,--disable-new-dtags -o libw1xml.la -rpath /usr/li b/x86_64-linux-gnu/w1retap libw1xml_la-w1xml.lo -lxml2 -lrt -lm libtool: link: gcc -shared -fPIC -DPIC .libs/w1csv.o -lgmodule-2.0 -lglib-2.0 -lxml2 -lrt -lm -g -O2 -fstack-protector-strong -Wl,--export-dynamic -pthread -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -pthread -Wl,-soname -Wl,libw1csv.so.0 -o .libs/libw1csv.so.0.0.0 libtool: link: gcc -shared -fPIC -DPIC .libs/w1file.o -lgmodule-2.0 -lglib-2.0 -lxml2 -lrt -lm -g -O2 -fstack-protector-strong -Wl,--export-dynamic -pthread -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -pthread -Wl,-soname -Wl,libw1file.so.0 -o .libs/libw1file.so.0.0.0 libtool: link: gcc -shared -fPIC -DPIC .libs/libw1xml_la-w1xml.o -lgmodule-2.0 -lglib-2.0 -lxml2 -lrt -lm -g -O2 -fstack-protector-strong -Wl,--export-dynam ic -pthread -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -pthread -Wl,-soname -Wl,libw1xml.so.0 -o .libs/libw1xml.so.0.0.0 libtool: link: (cd ".libs" && rm -f "libw1file.so.0" && ln -s "libw1file.so.0.0.0" "libw1file.so.0") libtool: link: (cd ".libs" && rm -f "libw1csv.so.0" && ln -s "libw1csv.so.0.0.0" "libw1csv.so.0") libtool: link: (cd ".libs" && rm -f "libw1file.so" && ln -s "libw1file.so.0.0.0" "libw1file.so") libtool: link: (cd ".libs" && rm -f "libw1csv.so" && ln -s "libw1csv.so.0.0.0" "libw1csv.so") libtool: link: ar cru .libs/libw1file.a w1file.o ar: `u' modifier ignored since `D' is the default (see `U') libtool: link: ranlib .libs/libw1file.a libtool: link: ar cru .libs/libw1csv.a w1csv.o ar: `u' modifier ignored since `D' is the default (see `U') libtool: link: ranlib .libs/libw1csv.a libtool: link: (cd ".libs" && rm -f "libw1xml.so.0" && ln -s "libw1xml.so.0.0.0" "libw1xml.so.0") libtool: link: (cd ".libs" && rm -f "libw1xml.so" && ln -s "libw1xml.so.0.0.0" "libw1xml.so") libtool: link: ( cd ".libs" && rm -f "libw1file.la" && ln -s "../libw1file.la" "libw1file.la" ) libtool: link: ( cd ".libs" && rm -f "libw1csv.la" && ln -s "../libw1csv.la" "libw1csv.la" ) libtool: link: ar cru .libs/libw1xml.a libw1xml_la-w1xml.o /bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -r dynamic -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -Wl,--disable-new-dtags -o w1retap w1retap-w1retap.o w1r etap-w1conf.o w1retap-w1util.o w1retap-w1sensors.o "-dlopen" libw1file.la -L./libusblinux300/.libs -L./libusblinux300 -lowfat -lw1common -lm -lxml2 -lrt -lm ar: `u' modifier ignored since `D' is the default (see `U') libtool: link: ranlib .libs/libw1xml.a libtool: link: ( cd ".libs" && rm -f "libw1xml.la" && ln -s "../libw1xml.la" "libw1xml.la" ) libtool: link: rm -f .libs/w1retap.nm .libs/w1retap.nmS .libs/w1retap.nmT libtool: link: rm -f ".libs/w1retap.nmI" libtool: link: (cd .libs && gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -c -fno-builtin "w1retapS.c") libtool: link: rm -f ".libs/w1retapS.c" ".libs/w1retap.nm" ".libs/w1retap.nmS" ".libs/w1retap.nmT" ".libs/w1retap.nmI" libtool: link: gcc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -rdynamic -Wl,--export-dynamic -pthread -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -o .libs/w1retap w1retap-w1retap.o w1retap-w1conf.o w1retap-w1util.o w1retap-w1sensors.o .libs/w1retapS.o -lgmodule-2.0 -lglib-2.0 -L./libusblinux300/.libs -L./libusblinux300 -lowfat /<<PKGBUILDDIR>>/src/libusblinux300/.libs/libw1common.so -lxml2 -lrt -lm -pthread -Wl,-rpath -Wl,/usr/lib/x86_64-linux-gnu/w1retap [1] symtab_cflags= for arg in $LTCFLAGS; do case $arg in -pie | -fpie | -fPIE) ;; *) func_append symtab_cflags " $arg" ;; esac done # Now compile the dynamic symbol file. func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?' [2] $ export DEB_BUILD_MAINT_OPTIONS=hardening=+all $ export DEB_CFLAGS_MAINT_APPEND=-Wall $ export DEB_LDFLAGS_MAINT_APPEND="-Wl,--as-needed -Wl,--disable-new-dtags" $ dpkg-buildflags | grep ^CFLAGS CFLAGS=-g -O2 -fdebug-prefix-map=/home/thomas/src/w1retap/w1retap=. -fstack-protector-strong -Wformat -Werror=format-security -Wall $ $ grep ^LTCFLAGS libtool LTCFLAGS="-g -O2 -fdebug-prefix-map=/home/thomas/src/w1retap/w1retap=. -fstack-protector-strong -Wformat -Werror=format-security -Wall" $ [3] $ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags | grep D_FORTIFY_SOURCE CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 $ [4] /bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -D__DEB_CANARY_CFLAGS_fc4ddc15f9f4b4b06ef7844d6bb53abf__ -fdebug-prefix-map=/home/thomas/src/w1retap/w1retap=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -rdynamic -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -Wl,-z,deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -Wl,--disable-new-dtags -Wl,--allow-multiple-definition -o w1retap w1retap-w1retap.o w1retap-w1conf.o w1retap-w1util.o w1retap-w1sensors.o "-dlopen" libw1file.la -L./libusblinux300/.libs -L./libusblinux300 -lowfat -lw1common -lm -lxml2 -lrt -lm libtool: link: gcc -shared -fPIC -DPIC .libs/w1csv.o -lgmodule-2.0 -lglib-2.0 -lxml2 -lrt -lm -g -O2 -fstack-protector-strong -Wl,--export-dynamic -pthread -Wl,-z -Wl,deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -Wl,--allow-multiple-definition -pthread -Wl,-soname -Wl,libw1csv.so.0 -o .libs/libw1csv.so.0.0.0 /usr/bin/ld: warning: -z deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf ignored libtool: link: (cd ".libs" && rm -f "libw1csv.so.0" && ln -s "libw1csv.so.0.0.0" "libw1csv.so.0") libtool: link: gcc -shared -fPIC -DPIC .libs/libw1xml_la-w1xml.o -lgmodule-2.0 -lglib-2.0 -lxml2 -lrt -lm -g -O2 -fstack-protector-strong -Wl,--export-dynamic -pthread -Wl,-z -Wl,deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -Wl,--allow-multiple-definition -pthread -Wl,-soname -Wl,libw1xml.so.0 -o .libs/libw1xml.so.0.0.0 libtool: link: (cd ".libs" && rm -f "libw1csv.so" && ln -s "libw1csv.so.0.0.0" "libw1csv.so") libtool: link: ar cru .libs/libw1csv.a w1csv.o ar: `u' modifier ignored since `D' is the default (see `U') libtool: link: ranlib .libs/libw1csv.a libtool: link: ( cd ".libs" && rm -f "libw1csv.la" && ln -s "../libw1csv.la" "libw1csv.la" ) /usr/bin/ld: warning: -z deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf ignored libtool: link: (cd ".libs" && rm -f "libw1xml.so.0" && ln -s "libw1xml.so.0.0.0" "libw1xml.so.0") libtool: link: (cd ".libs" && rm -f "libw1xml.so" && ln -s "libw1xml.so.0.0.0" "libw1xml.so") libtool: link: ar cru .libs/libw1xml.a libw1xml_la-w1xml.o ar: `u' modifier ignored since `D' is the default (see `U') libtool: link: rm -f .libs/w1retap.nm .libs/w1retap.nmS .libs/w1retap.nmT libtool: link: ranlib .libs/libw1xml.a libtool: link: ( cd ".libs" && rm -f "libw1xml.la" && ln -s "../libw1xml.la" "libw1xml.la" ) libtool: link: rm -f ".libs/w1retap.nmI" libtool: link: (cd .libs && gcc -g -O2 -D__DEB_CANARY_CFLAGS_fc4ddc15f9f4b4b06ef7844d6bb53abf__ -fdebug-prefix-map=/home/thomas/src/w1retap/w1retap=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -c -fno-builtin "w1retapS.c") libtool: link: rm -f ".libs/w1retapS.c" ".libs/w1retap.nm" ".libs/w1retap.nmS" ".libs/w1retap.nmT" ".libs/w1retap.nmI" libtool: link: gcc -g -O2 -D__DEB_CANARY_CFLAGS_fc4ddc15f9f4b4b06ef7844d6bb53abf__ -fdebug-prefix-map=/home/thomas/src/w1retap/w1retap=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -rdynamic -Wl,--export-dynamic -pthread -Wl,-z -Wl,deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf -Wl,-z -Wl,relro -Wl,-z -Wl,now -Wl,--as-needed -Wl,--disable-new-dtags -Wl,--allow-multiple-definition -o .libs/w1retap w1retap-w1retap.o w1retap-w1conf.o w1retap-w1util.o w1retap-w1sensors.o .libs/w1retapS.o -lgmodule-2.0 -lglib-2.0 -L./libusblinux300/.libs -L./libusblinux300 -lowfat /home/thomas/src/w1retap/w1retap/src/libusblinux300/.libs/libw1common.so -lxml2 -lrt -lm -pthread -Wl,-rpath -Wl,/usr/lib/x86_64-linux-gnu/w1retap /usr/bin/ld: warning: -z deb-canary-fc4ddc15f9f4b4b06ef7844d6bb53abf ignored
