On 2012-03-05 04:47, Kees Cook wrote: > Okay, here's the latest version. Some notes: >
Hi, Thanks for the update. > - It requires the lastest dpkg-dev (still in experimental) to get > the dpkg-buildflags that supports --query-features. > Unfortunately I see two issues here. First, we have been asked to avoid the unconditional dpkg-dev dependency (see #626476). Perhaps we can use libdpkg-perl as a fall-back in this case (like we do in collection/unpacked). The second problem is that the given version of dpkg-dev is not in stable[1] and (as I recall) the backport FTP masters were not too happy with the last backport. [1] It is not in unstable either, but at this point I am more concerned with getting it in stable. > - The hardening checker only expects the hardened features that are > defaulted on for the architecture of the package it is examining. > Good :) > - The hardening checker checks if it is running as part of the > internal test suite, so that it is disabled for all tests except > its own, since the bulk of the internal tests do not build with > hardening flags, and only for i386 and amd64 since there isn't > a sane way to generate the "tags" file on the fly for a test. > To be honest I do not like the idea of Lintian checks/collections behaving differently during tests. I suppose we could a make """sane way to generate the "tags" file""". We already have several hooks in the test suite, adding another one should not be a great issue. Though, we only want hardening tags emitted in a selected few tests... > Doing manual testing shows that building, for example, the "hello" > package as-is triggers appropriate warnings, and when I fix the "hello" > package to import the dpkg-buildflags correctly, the lintian warnings > go away. :) > > -Kees > ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org