Yes!
this solution is really more upstream/friendly, so if you forward please drop a note on the patch with the link, and the last problem I found: dget -u http://mentors.debian.net/debian/pool/main/n/neko/neko_2.0.0-4.dsccd neko-2.0.0/ dpkg-buildpackage -S -sa [...] export DEB_CFLAGS_MAINT_APPEND = -fno-strict-aliasing /bin/sh: 1: export: : bad variable name I guess changing it to export DEB_CFLAGS_MAINT_APPEND = -fno-strict-aliasing (with no initial tab) fixes the issue. BTW the hardening stuff gained some gcc warnings that might be addressed upstream: cc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -fPIC -I vm -DCOMPACT_TABLE -D_GNU_SOURCE -I libs/common -Wl,-z,relro -pthread -o vm/others.o -c vm/others.c vm/others.c: In function 'neko_val_throw': vm/others.c:484:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] if( *(char**)vm->start == jit_handle_trap ) ^ vm/others.c: In function 'neko_val_rethrow': vm/others.c:493:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] if( *(char**)vm->start == jit_handle_trap ) ^ cc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -fPIC -I vm -DCOMPACT_TABLE -D_GNU_SOURCE -I libs/common -Wl,-z,relro -pthread -o libs/std/misc.o -c libs/std/misc.c libs/std/misc.c: In function 'float_of_bytes': libs/std/misc.c:81:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] f = *(float*)val_string(s); ^ libs/std/misc.c: In function 'double_of_bytes': libs/std/misc.c:101:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] f = *(double*)val_string(s); ^ gcc -O3 -DEAPI -fPIC -pthread $(pkg-config --cflags apr-1) -pthread -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -fPIC -I vm -DCOMPACT_TABLE -D_GNU_SOURCE -I libs/common -c -I../../vm -I/usr/include sqlite.c In file included from sqlite.c:22:0: sqlite.c: In function 'result_next': ../../vm/neko.h:332:23: warning: 'f' may be used uninitialized in this function [-Wmaybe-uninitialized] #define alloc_field neko_alloc_field ^ sqlite.c:225:10: note: 'f' was declared here value f; ^ protocol.c: In function 'protocol_read_answer': protocol.c:401:21: warning: pointer targets in passing argument 2 of 'proto_read' differ in signedness [-Wpointer-sign] if( !proto_read(p,header,4) ) ^ protocol.c:126:13: note: expected 'char *' but argument is of type 'unsigned char *' static bool proto_read( proto *p, char *str, int len ) { ^ gcc -O3 -DEAPI -fPIC -pthread $(pkg-config --cflags apr-1) -pthread -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -fPIC -I vm -DCOMPACT_TABLE -D_GNU_SOURCE -I libs/common -D_LARGEFILE64_SOURCE -I../common -c -I../../vm -I/usr/include/apache2 -I/usr/include/apr-1.0 mod_tora.c mod_tora.c: In function 'mod_tora_do_init': mod_tora.c:289:6: warning: unused variable 'tmp' [-Wunused-variable] int tmp = 0; ^ gcc -L/build/neko-2.0.0/src -L/usr/lib -L/usr/lib/mysql -o ../../bin/mod_tora2.ndll socket.o protocol.o mod_tora.o -shared -L../../bin -pthread -lneko -Wl,-z,relro gcc -O3 -DEAPI -fPIC -pthread $(pkg-config --cflags apr-1) -pthread -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -fPIC -I vm -DCOMPACT_TABLE -D_GNU_SOURCE -I libs/common -D_LARGEFILE64_SOURCE -c -I../../vm -I/usr/include/apache2 -I/usr/include/apr-1.0 mod_neko.c mod_neko.c: In function 'mod_neko_do_init': mod_neko.c:322:6: warning: unused variable 'tmp' [-Wunused-variable] int tmp = 0; ^ mod_neko.c: At top level: mod_neko.c:117:13: warning: 'null_print' defined but not used [-Wunused-function] static void null_print( const char *data, int size, void *_c ) { ^ gcc -O3 -DEAPI -fPIC -pthread $(pkg-config --cflags apr-1) -pthread -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -fPIC -I vm -DCOMPACT_TABLE -D_GNU_SOURCE -I libs/common -D_LARGEFILE64_SOURCE -c -I../../vm -I/usr/include/apache2 -I/usr/include/apr-1.0 cgi.c ui.c: In function 'ui_main': ui.c:151:2: warning: 'g_thread_init' is deprecated [-Wdeprecated-declarations] g_thread_init(NULL); the last one can be fixed with a // g_thread_init has been deprecated since version 2.32 and should not be used in newly-written code. This function is no longer necessary. The GLib threading system is automatically initialized at the start of your program. #if !(GLIB_CHECK_VERSION(2,32,0)) g_thread_init(NULL); #endif block I guess (I'm not asking you to fix the above, but I would appreciate if you can forward them upstream :) cheers, G. Il Giovedì 24 Settembre 2015 12:51, Andy Li <a...@onthewings.net> ha scritto: Hi Gianfranco, Thanks for the review! Good idea about using the *FLAGS env vars. I've updated the patch to use those and will also propose the change to upstream. I've also added back -Wall as suggested. The package has just been reuploaded to mentors. Best regards, Andy On Thu, Sep 24, 2015 at 5:54 PM, Gianfranco Costamagna <costamagnagianfra...@yahoo.it> wrote: Hi Andy, > > > >the packaging looks good. > >I did two builds with DH_VERBOSE=1 in a sid chroot >(the unstable and mentors versions) > >I did a meld between them, and I see some "issues" > >-"Wall" flag has disappeared > >(I guess not a real problem here :) ) > > >- many lines are like this one >gcc -O3 -DEAPI -fPIC -pthread $(pkg-config --cflags apr-1) -pthread >$(dpkg-buildflags --get CFLAGS) -c -I../../vm -I/usr/include/mysql mysql.c > >evaluating $(dpkg-buildflags --get CFLAGS) at each file build (and link, the >same is for LDFLAGS) is somewhat an overkill. > >I see they come from debian/patches/harden.patch, >just as TODO you might ask upstream to use *FLAGS from the environment, and >drop that patch. > > >but we are nitpicking here :) > >So if you can readd the -Wall flag I guess we are fine there :) > >cheers, > >G. >