On 2012-03-06 20:26, Kees Cook wrote: > Hi Russ, > > On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote: >> Kees Cook <k...@debian.org> writes: >>
Hi, I have started an unofficial branch[1] to get something more concrete on this. I decided to rename the tags so they had a common prefix (it simplified the updated to t/scripts/implemented-tags.t). >>> This was the big problem. I spent a lot of time trying to see how bad it >>> would be to fix every build in the testsuite to DTRT with respect to >>> dpkg-buildflags, but it was a losing battle. Or, at least, a tedious >>> battle. Ultimately I decided it was better to just have the hardening >>> checker disable itself in the face of the other tests. >> >>> I'm open to ideas for this part, but a lot of the test builds don't pass >>> all the needed flags, or hard code flags, etc etc. Changing the compat >>> level worked for many of the failures, but not all and left about 30 >>> that still needed to be changed by hand. If it's important to do this >>> strictly correct, I can, it'll just take me a while. >> >> The general intent of the Lintian test suite is that the packages it >> produces should be Lintian-clean except for the tags that the package is >> specifically testing (or others that are unavoidable for some reason). So >> when new requirements for Debian packages are added, as a general rule of >> thumb we want to update the test suite so that it meets those requirements >> except for those tests that are testing Lintian's tags for those >> requirements. >> I have bumped the debhelper standard test suite to use compat 9 by default. I doubt it will fix all the failures we saw, but at least the standard flags are enabled by default. >> So, this is work that does need to be done eventually, I think. That >> doesn't mean it has to be a blocker for getting the tag into Lintian, >> though. > > Okay. In that case, I think the work needs to be broken into several pieces: > > - make lintian work for wheezy (but disable internal tests for hardening) > - backport hardening check to work on squeeze I just finished a patch that solves these two. I made a data file that is trivial to regenerate/update using private/refresh-archs (requiring dpkg-dev from experimental or newer). It also removes the need for dpkg-dev at runtime. :) I know you had some concerns about using data files, but I honestly think they will be the easiest way to solve the backportability problem. Since we can use dpkg-buildflags to regenerate it automatically, it should be trivial to keep it in sync. It also solves one of the test errors as dpkg-buildflags does not handle invalid architectures too well. > - build internal hardening test for all archs (hook to generate tags file) > - fix other lintian internal tests to work with hardening check This part still needs some work though. I suspect it might be a good idea to try the test suite on some different architectures at some point. These > > -Kees > Last I checked we still have an "outstanding issue" hardening-check using ldd, which I am not certain will work with "foreign" binaries (see comment #39). I suspect it will mostly affect people who do cross-builds and lintian.d.o[2]. If I recall, hardening-check falls back to assuming the binary is "safe" for the checks needing ldd data, so we should get false-negatives rather than false-positives in this case. ~Niels [1] http://anonscm.debian.org/gitweb/?p=users/nthykier/lintian.git;a=shortlog;h=refs/heads/hardening-support [2] lintian.d.o is amd64, but it checks i386 packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org