Hi again,
Quoting Johannes Schauer (2014-03-18 01:03:27)
> after having tried that and other things without avail I tried using
>
> export DEB_BUILD_HARDENING=1
>
> in debian/rules. This enables hardening-wrapper and should thus work no matter
> what goes wrong in the build system. Interestingly the problems remain. I
> tried
> running hardening-check manually on the generated binary:
>
> $ hardening-check ./obj-x86_64-linux-gnu/server/vcmiserver
> ./obj-x86_64-linux-gnu/server/vcmiserver:
> Position Independent Executable: yes
> Stack protected: yes
> Fortify Source functions: no, only unprotected functions found!
> Read-only relocations: yes
> Immediate binding: yes
turns out that the unprotected functions are probably false positives because
"blhc --all" shows no output at all. This means that all hardening options are
set during compilation. Here the verbose hardening-check output:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
unprotected: memset
unprotected: memmove
unprotected: poll
unprotected: memcpy
Read-only relocations: yes
Immediate binding: yes
This is now produced without hardening-wrapper but instead by using
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
in debian/rules. Turns out that the build system is actually not broken and
passes all flags on just fine and no hackery with CMAKE_CXX_FLAGS or the like
is needed. :)
The fixed version has been uploaded to mentors.
Now I need somebody to look over the packaging and a mentor :)
cheers, josch
--
To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140318174638.1302.16415@hoothoot
