On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote: > On 2012-03-05 04:47, Kees Cook wrote: > > - It requires the lastest dpkg-dev (still in experimental) to get > > the dpkg-buildflags that supports --query-features. > > Unfortunately I see two issues here. First, we have been asked to avoid > the unconditional dpkg-dev dependency (see #626476). Perhaps we can use > libdpkg-perl as a fall-back in this case (like we do in > collection/unpacked).
Hrm, well, as long as dpkg-buildflags is the right one, I don't care what the Depends say. ;) > The second problem is that the given version of dpkg-dev is not in > stable[1] and (as I recall) the backport FTP masters were not too happy > with the last backport. > > [1] It is not in unstable either, but at this point I am more concerned > with getting it in stable. > Right -- though I have no way around this. All the pieces needed for these checks come from the new dpkg-buildflags. Perhaps the hardening check can be disabled for the backport, since it's rather meaningless for stable anyway? > > - The hardening checker checks if it is running as part of the > > internal test suite, so that it is disabled for all tests except > > its own, since the bulk of the internal tests do not build with > > hardening flags, and only for i386 and amd64 since there isn't > > a sane way to generate the "tags" file on the fly for a test. > > > > To be honest I do not like the idea of Lintian checks/collections > behaving differently during tests. > I suppose we could a make """sane way to generate the "tags" file""". > We already have several hooks in the test suite, adding another one > should not be a great issue. I could write a hook the generate the tags file on the fly, but that only handles the per-arch limitation of the internal test for the hardening checker. > Though, we only want hardening tags emitted in a selected few tests... This was the big problem. I spent a lot of time trying to see how bad it would be to fix every build in the testsuite to DTRT with respect to dpkg-buildflags, but it was a losing battle. Or, at least, a tedious battle. Ultimately I decided it was better to just have the hardening checker disable itself in the face of the other tests. I'm open to ideas for this part, but a lot of the test builds don't pass all the needed flags, or hard code flags, etc etc. Changing the compat level worked for many of the failures, but not all and left about 30 that still needed to be changed by hand. If it's important to do this strictly correct, I can, it'll just take me a while. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org