Source: pixman Version: 0.32.6-3 Severity: wishlist Tags: patch X-Debbugs-Cc: Simon Ruderich <si...@ruderich.org>
Hi, please consider applying the attached patchset, that simplifies the handling of dpkg-buildflags, and makes the hardening flags more future-proof. Cheers, -- intrigeri
>From 173bc48d419d88982f1ce8efe389aad51d114f8f Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Sun, 31 Aug 2014 16:53:25 +0000 Subject: [PATCH 1/3] Simplify hardening build flags handling. Thanks to Simon Ruderich <si...@ruderich.org> for the patch. Quoting Simon Ruderich <si...@ruderich.org>: "There's no need to use dpkg-buildflags manually in debian/rules. Debhelper with compat=9 automatically enables the hardening flags when dh_auto_configure is used. So just by calling dh_auto_configure [...] the hardening flags get automatically passed to the build system. DEB_BUILD_MAINT_OPTIONS is also respected." --- debian/rules | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/debian/rules b/debian/rules index a8100d2..99d67fc 100755 --- a/debian/rules +++ b/debian/rules @@ -11,8 +11,7 @@ override_dh_auto_configure: # changelog entry: LS_CFLAGS=" " dh_auto_configure -- --disable-gtk \ --disable-silent-rules \ - --disable-arm-iwmmxt \ - $(shell dpkg-buildflags --export=configure) + --disable-arm-iwmmxt # Install in debian/tmp to retain control through dh_install: override_dh_auto_install: -- 2.1.0
>From 7a54bf14aaab563d9dda268c14d8116a569385b8 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Sun, 31 Aug 2014 16:54:54 +0000 Subject: [PATCH 2/3] Enable all hardening build flags. Thanks to Simon Ruderich <si...@ruderich.org> for the patch. Quoting Simon again: "It currently has the same effect as hardening=+bindnow, but will automatically enable future hardening options and in case the package will ever build binaries those are immediately protected with PIE as well." --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 99d67fc..a0e0b9e 100755 --- a/debian/rules +++ b/debian/rules @@ -3,7 +3,7 @@ PACKAGE = libpixman-1-0 SHLIBS = 0.25.2 -export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow +export DEB_BUILD_MAINT_OPTIONS = hardening=+all # Disable Gtk+ autodetection: override_dh_auto_configure: -- 2.1.0
>From 90bc2385a5cda5ed95af24f8b2e183e550175d88 Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@debian.org> Date: Sun, 31 Aug 2014 16:56:42 +0000 Subject: [PATCH 3/3] Update changelog. Git-Dch: Ignore --- debian/changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/debian/changelog b/debian/changelog index f5ebabf..ee81d21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +pixman (0.32.6-4~1.gbp7a54bf) UNRELEASED; urgency=medium + + ** SNAPSHOT build @7a54bf14aaab563d9dda268c14d8116a569385b8 ** + + * Simplify hardening build flags handling. + Thanks to Simon Ruderich <si...@ruderich.org> for the patch. + * Enable all hardening build flags. Thanks to Simon Ruderich too. + + -- intrigeri <intrig...@debian.org> Sun, 31 Aug 2014 09:56:17 -0700 + pixman (0.32.6-3) sid; urgency=medium [ intrigeri ] -- 2.1.0