Bug#654117: Please enabled hardened build flags
On 01/01/2012 11:30 PM, Rogier Wolff wrote: Hi, I don't have a debian/rules in my upstream distribution. Should I grab a copy somewhere and start distributing it? Nah. This flag-adding mechanism is a debian-specific build thing. However, the hardening flags that it adds are not debian-specific and you might want to look over the list of them and see if you want to include any. On my amd64 system they are currently: CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-Wl,-z,relro For reference, the debian/ folder (and any patches to your source that Debian adds - there currently aren't any since you've integrated all of them) are in the .diff.gz patch that Debian distributes along with the .orig.tar.gz source. Moritz: What's the best method (if you're aware of one) to allow a package to still build on debian stable after these changes? As far as I can tell, --export=configure isn't in stable's dpkg-buildflags, /usr/share/dpkg/buildflags.mk isn't in stable, debhelper compat level 9 isn't in stable, etc. -- Robert Woodcock - r...@debian.org We've worked with our purchasing team to bring in many companies to compete on our main cabin tidbit item (pretzels). To date, no one has been able to match our current cost, about 3 cents per package. -- US Airways management -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#654117: Please enabled hardened build flags
On Mon, Jan 02, 2012 at 08:30:31AM +0100, Rogier Wolff wrote: Hi, I don't have a debian/rules in my upstream distribution. Should I grab a copy somewhere and start distributing it? No, that's not necessary. That's a Debian-specific build directory. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#654117: Please enabled hardened build flags
Hi Robert, On Mon, Jan 02, 2012 at 08:11:45AM -0800, Robert Woodcock wrote: On 01/01/2012 11:30 PM, Rogier Wolff wrote: Hi, I don't have a debian/rules in my upstream distribution. Should I grab a copy somewhere and start distributing it? Moritz: What's the best method (if you're aware of one) to allow a package to still build on debian stable after these changes? As far as I can tell, --export=configure isn't in stable's dpkg-buildflags, /usr/share/dpkg/buildflags.mk isn't in stable, debhelper compat level 9 isn't in stable, etc. I'm attaching an alternative, backport-friendly, patch: dpkg-buildflags already exists in stable (only that it doesn't emit the hardened build flags, but only e.g. -g -O2 for CFLAGS). For oldstable-backports there's no real solution, but security support for Lenny ends in a month, so it's days are counted anyway :-) Cheers, Moritz diff -aur mtr-0.82.orig/debian/rules mtr-0.82/debian/rules --- mtr-0.82.orig/debian/rules 2012-01-02 19:29:54.0 +0100 +++ mtr-0.82/debian/rules 2012-01-02 19:30:43.0 +0100 @@ -10,6 +10,10 @@ export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +CFLAGS = `dpkg-buildflags --get CFLAGS` +LDFLAGS = `dpkg-buildflags --get LDFLAGS` +CPPFLAGS = `dpkg-buildflags --get CPPFLAGS` + # FOR AUTOCONF 2.52 AND NEWER ONLY ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE)) confflags += --build $(DEB_HOST_GNU_TYPE) @@ -26,7 +30,7 @@ touch aclocal.m4 \ touch configure - mkdir mtr cd mtr ../configure $(confflags) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --enable-gtk2 + mkdir mtr cd mtr ../configure CFLAGS=$(CFLAGS) CPPFLAGS=$(CPPFLAGS) LDFLAGS=$(LDFLAGS) $(confflags) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --enable-gtk2 make -C mtr mkdir mtr-tiny cd mtr-tiny ../configure --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --without-gtk Nur in mtr-0.82/debian: rules~.
Bug#654117: Please enabled hardened build flags
Package: mtr Version: 0.82-1 Severity: important Tags: patch Please enabled hardened build flags through dpkg-buildflags. Patch attached. Cheers, Moritz diff -aur mtr-0.82.orig/debian/rules mtr-0.82/debian/rules --- mtr-0.82.orig/debian/rules 2012-01-02 02:26:06.0 +0100 +++ mtr-0.82/debian/rules 2012-01-02 02:27:45.0 +0100 @@ -26,10 +26,10 @@ touch aclocal.m4 \ touch configure - mkdir mtr cd mtr ../configure $(confflags) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --enable-gtk2 + mkdir mtr cd mtr ../configure $(shell dpkg-buildflags --export=configure) $(confflags) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --enable-gtk2 make -C mtr - mkdir mtr-tiny cd mtr-tiny ../configure --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --without-gtk + mkdir mtr-tiny cd mtr-tiny ../configure $(shell dpkg-buildflags --export=configure) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --without-gtk make -C mtr-tiny touch build-stamp Nur in mtr-0.82/debian: rules~.
Bug#654117: Please enabled hardened build flags
Hi, I don't have a debian/rules in my upstream distribution. Should I grab a copy somewhere and start distributing it? Rogier. On Mon, Jan 02, 2012 at 02:31:30AM +0100, Moritz Muehlenhoff wrote: Package: mtr Version: 0.82-1 Severity: important Tags: patch Please enabled hardened build flags through dpkg-buildflags. Patch attached. Cheers, Moritz diff -aur mtr-0.82.orig/debian/rules mtr-0.82/debian/rules --- mtr-0.82.orig/debian/rules2012-01-02 02:26:06.0 +0100 +++ mtr-0.82/debian/rules 2012-01-02 02:27:45.0 +0100 @@ -26,10 +26,10 @@ touch aclocal.m4 \ touch configure - mkdir mtr cd mtr ../configure $(confflags) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --enable-gtk2 + mkdir mtr cd mtr ../configure $(shell dpkg-buildflags --export=configure) $(confflags) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --enable-gtk2 make -C mtr - mkdir mtr-tiny cd mtr-tiny ../configure --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --without-gtk + mkdir mtr-tiny cd mtr-tiny ../configure $(shell dpkg-buildflags --export=configure) --prefix=`pwd`/debian/tmp/usr --mandir=`pwd`/debian/tmp/usr/share/man --sbindir=`pwd`/debian/tmp/usr/bin --without-gtk make -C mtr-tiny touch build-stamp Nur in mtr-0.82/debian: rules~. -- ** r.e.wo...@bitwizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 ** **Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233** *-- BitWizard writes Linux device drivers for any device you may have! --* The plan was simple, like my brother-in-law Phil. But unlike Phil, this plan just might work. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
