Bug#644427: [Pkg-openldap-devel] Bug#644427: openldap: please enable hardening options
On Wed, Oct 05, 2011 at 01:26:47PM -0700, Steve Langasek wrote: > tags 644427 - patch > thanks > > On Wed, Oct 05, 2011 at 09:10:57PM +0200, Pierre Chifflier wrote: > > > --- openldap-2.4.25.orig/debian/rules 2011-10-05 18:56:46.0 > > +0200 > > +++ openldap-2.4.25/debian/rules2011-10-05 18:09:23.0 +0200 > > @@ -6,7 +6,10 @@ > > # want the checks for DFSG-freeness. > > #DFSG_NONFREE = 1 > > > > -CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE > > +DPKG_EXPORT_BUILDFLAGS = 1 > > +include /usr/share/dpkg/buildflags.mk > > + > > +CFLAGS += -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE > > INSTALL = install > > INSTALL_FILE= $(INSTALL) -p-o root -g root -m 644 > > INSTALL_PROGRAM = $(INSTALL) -p-o root -g root -m 755 > > nack on this implementation. makefile includes are a terrible interface. Sure. As written, the rationale was to propose a patch with minimal changes. > > I am intending to spend some time this weekend to work on bringing the > openldap packaging up to dh(1) and compat level 9 so we can let debhelper > take care of this for us (like it ought). The most problematic change I can see is that dh 9 also includes multi-arch, and since openldap use a lot of shared libraries this could be tricky. Thanks for taking care of that ! Pierre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#644427: [Pkg-openldap-devel] Bug#644427: openldap: please enable hardening options
On Wed, Oct 05, 2011 at 09:10:57PM +0200, Pierre Chifflier wrote: > Source: openldap > Severity: normal > Tags: patch > User: debian...@lists.debian.org > Usertags: hardening BTW, please note that this is not the usertag for the release goal. It's a tag for tracking packages that *fail to build* when hardening is turned on. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#644427: [Pkg-openldap-devel] Bug#644427: openldap: please enable hardening options
tags 644427 - patch thanks On Wed, Oct 05, 2011 at 09:10:57PM +0200, Pierre Chifflier wrote: > --- openldap-2.4.25.orig/debian/rules 2011-10-05 18:56:46.0 +0200 > +++ openldap-2.4.25/debian/rules 2011-10-05 18:09:23.0 +0200 > @@ -6,7 +6,10 @@ > # want the checks for DFSG-freeness. > #DFSG_NONFREE = 1 > > -CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE > +DPKG_EXPORT_BUILDFLAGS = 1 > +include /usr/share/dpkg/buildflags.mk > + > +CFLAGS += -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE > INSTALL = install > INSTALL_FILE= $(INSTALL) -p-o root -g root -m 644 > INSTALL_PROGRAM = $(INSTALL) -p-o root -g root -m 755 nack on this implementation. makefile includes are a terrible interface. I am intending to spend some time this weekend to work on bringing the openldap packaging up to dh(1) and compat level 9 so we can let debhelper take care of this for us (like it ought). -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#644427: openldap: please enable hardening options
Source: openldap Severity: normal Tags: patch User: debian...@lists.debian.org Usertags: hardening Hardening options is a proposed release goal for Wheezy [1]. Having important package, interpreters and daemons compiled with the hardening options will add various protections against issues such as stack smashing, predictable locations of values in memory, etc. I have rebuilt the package with hardening options enabled and there was no error (during build, or at runtime). The attached patch adds a minimal modification to the debian/rules file to add support for hardening flags (other methods are available). Note that PIE and bindnow are not enabled by default, and that you can decide to enable this options for additional features (see the following link for details). You can control and enable/disable each hardening flag independently, see http://lists.debian.org/debian-devel-announce/2011/09/msg1.html for details. Thanks, Pierre [1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags --- openldap-2.4.25.orig/debian/rules 2011-10-05 18:56:46.0 +0200 +++ openldap-2.4.25/debian/rules2011-10-05 18:09:23.0 +0200 @@ -6,7 +6,10 @@ # want the checks for DFSG-freeness. #DFSG_NONFREE = 1 -CFLAGS = -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +CFLAGS += -Wall -g -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE INSTALL = install INSTALL_FILE= $(INSTALL) -p-o root -g root -m 644 INSTALL_PROGRAM = $(INSTALL) -p-o root -g root -m 755
