Hello,
>https://anonscm.debian.org/cgit/pkg-security/curvedns.git/ >I've made some changes but the blhc issue is still here :/ I think it might be worth to ask on debian-mentors mail list why PIE flag is not injected anymore by debhelper... Anyhow, the hacky approach works http://debomatic-amd64.debian.net/distribution#unstable/curvedns/0.87-1/buildlog diff --git a/debian/patches/hardening_support.patch b/debian/patches/hardening_support.patch index 4117497..fd5860b 100644 --- a/debian/patches/hardening_support.patch +++ b/debian/patches/hardening_support.patch @@ -11,8 +11,8 @@ Last-Update: 2017-05-17 CC=@CC@ -CFLAGS=@CFLAGS@ $(CDNSCFLAGS) $(EVCFLAGS) -LDFLAGS=-L$(NACLLIB) $(EVLDFLAGS) -+CFLAGS+=@CFLAGS@ $(CDNSCFLAGS) $(EVCFLAGS) $(CPPFLAGS) -+LDFLAGS+=-L$(NACLLIB) $(EVLDFLAGS) ++CFLAGS+=@CFLAGS@ $(CDNSCFLAGS) $(EVCFLAGS) $(CPPFLAGS) -fPIE -fpie -pie ++LDFLAGS+=-L$(NACLLIB) $(EVLDFLAGS) -fPIE -fpie -pie # do not edit below G. 2017-06-14 17:57 GMT+02:00 Stéphane Neveu <stefne...@gmail.com>: > Gianfranco, Philippe, > > I've just pushed my updated package on mentors again, because my ssh > key isn't working on alioth yet... > >>> lets review: >>> >>> >>> debian/copyright has some GPL-2 packaging, why not just take the same >>> upstream license >>> >>> for the packaging? >>> > > license-reconcile told me to do so but following your advice I've > changed everything to BSD-2-clause. > > >>> >>> lots of useless files? >>> >>> debian/README.source >>> >>> debian/README.Debian >>> >>> debian/service >>> debian/env >>> >>> (and so on) >>> > > yes, all those files are deleted now sorry. > >>> >>> and lots of debian files, e.g. is debian/dirs needed? >>> >>> (usually it is a task for the upstream build system to install >>> directories) >>> > > Yes no automated install. > >>> override_dh_installinit: >>> dh_installinit >>> > > Sorry deleted. > >>> >>> >>> I will continue the review after the above is fixed >>> >>> >>> some CPPFLAGS seems missing? >>> >>> http://debomatic-amd64.debian.net/distribution#unstable/curvedns/0.87-1/blhc >>> > > Yes I still have this issue, I made a patch but it doesn't seem to fix blhc. > >>> and some stuff is uselessly installed in the end user system (e.g. README >>> files) >>> >>> >>> (the packaging looks good, but I prefer less files to review, if >>> something can be just >>> deleted) >>> >>> G. >> > > Thank you Gianfranco ! > >> >> Little review: >> >> >> $ splint -I . +posixlib -preproc -standard *.c >> <lot>... And one memory leak :-/ >> > > Philippe, like we said no need to patch it since it only affect init cache. > >> $ env PERL5OPT=-m-lib=. license-reconcile >> Copyright mismatch: File >> nacl/crypto_scalarmult/curve25519/donna_c64/smult.c: Trying to match 'Google >> Inc.' against 'Lieuwe Jan Koning' but it does not look like a good match. at >> /usr/share/perl5/Debian/LicenseReconcile/App.pm line 222, <GEN0> line 3. >> > > Google Inc. is added but license-reconcile isn't happy now for > debian/* with my BSD-2-clause license. > >> >> $ find . -type d \( -iname .bzr -o -iname .git -o -iname .hg -o -iname .svn >> -o -iname CVS -o -iname RCS -o -iname SCCS -o -iname _MTN -o -iname _darcs >> -o -iname .pc -o -iname .cabal-sandbox -o -iname .cdv -o -iname .metadata -o >> -iname CMakeFiles -o -iname _build -o -iname _sgbak -o -iname >> autom4te.cache -o -iname blib -o -iname cover_db -o -iname node_modules -o >> -iname '~.dep' -o -iname '~.dot' -o -iname '~.nib' -o -iname '~.plst' \) >> -prune -o -type f ! \( -iname '*.bak' -o -iname '*.swp' -o -iname '#.*' -o >> -iname '#*#' -o -iname 'core.*' -o -iname '*~' -o -iname '*.gif' -o -iname >> '*.jpg' -o -iname '*.jpeg' -o -iname '*.png' -o -iname '*.min.js' -o -iname >> '*.js.map' -o -iname '*.js.min' -o -iname '*.min.css' -o -iname '*.css.map' >> -o -iname '*.css.min' -o -iname '*.wav' \) -exec env PERL5OPT=-m-lib=. >> spellintian --picky {} >> <lot, but with some false-positive> >> >> (thanks to Paul Wise for this last line :) ) >> >> Didn't try lintian/piuparts/blhc... >> > > No more errors except in spelling.patch :) > >> Cheers, >> -- >> Philippe. > > > I also need to work a bit on curvedns.service to add some security features ! > > > Stephane
