❦ 19 août 2013 11:46 CEST, Tom Lee <deb...@tomlee.co> :

>> The easiest way is to use Lintian (I use it with -viI).
>>
>>
> Odd, I don't see any warnings:
>
> tom@desktop:~/Source$ lintian -viI capnproto_0.2.0-1.dsc
> N: Using profile debian/main.
> N: Setting up lab in /tmp/temp-lintian-lab-q9W0nEVK6F ...
> N: Unpacking packages in group capnproto/0.2.0-1
> N: ----
> N: Processing source package capnproto (version 0.2.0-1, arch source) ...
>
> I also see what looks like hardening-related CXXFLAGS during the build.
> Stuff like this:
>
> -D_FORTIFY_SOURCE=2 -I./src -I./src  -g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>
> The warning appears on mentors.debian.net:
> http://mentors.debian.net/package/capnproto
>
> Maybe related to this bug:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673112#10
>
> Based on this bug & assuming you can see the _FORTIFY_SOURCE etc. during
> your build I'd be inclined to add another override for this -- what do you
> think?
>
> Weird I can't reproduce it locally.

Try with "hardening-check" then:
/usr/bin/capnp:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

The unprotected functions are getcwd() and memcpy().

In the bug you pointed, it seems that memcpy() can be left unprotected
when it is used in replacement of strcpy(). Maybe there is no other
issue with getcwd(). Since there is no use of other commonly protected
functions like *printf(), this should be a false positive. Therefore,
yes, add a lintian override.

>> Well, you shouldn't get this warning. Maybe it was here because you were
>> build-depending on python-support?
>>
>
> Doesn't seem that way. From the control file:
>
> Build-Depends: debhelper (>= 8.0.0), gcc (>= 4.7),
>  python-all (>= 2.6), dpkg-dev (>= 1.16.1.1), docbook-xsl, docbook-xml,
>  xsltproc, autotools-dev
>
> Removed --with python2 from debian/rules and I see this near the end of the
> build:
>
> ...
>    dh_install
>    dh_installdocs
>    dh_installchangelogs
>    dh_installman
>    dh_pysupport
> dh_pysupport: This program is deprecated, you should use dh_python2
> instead. Migration guide: http://deb.li/dhs2p

Oh, OK. Just ignore this warning. dh_pysupport is just called because
you are using compat 8 and it is installed.
-- 
Make your program read from top to bottom.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: signature.asc
Description: PGP signature

Reply via email to