Package: dpkg-dev
Version: 1.21.7
Severity: normal
Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the first
release of GCC to provide this flag).
It goes well with the other important security flaw mitigation flags
already enabled in Debian:
https://wiki.debian.org/Hardening#dpkg-
in this very misleading commit log.
What is going on here?
-Kees
[1] https://lore.kernel.org/lkml/202105280915.9117D7C@keescook/
--
Kees Cook
Hi Ben,
On Mon, Jun 22, 2020 at 01:53:09PM +0100, Ben Hutchings wrote:
> On Sat, 2020-06-20 at 16:38 -0700, Kees Cook wrote:
> > Package: wnpp
> > Severity: wishlist
> > Owner: Kees Cook
> >
> > * Package name: prince-of-persia
> > Version :
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: prince-of-persia
Version : 1.20
Upstream Author : Dávid Nagy
* URL : https://github.com/NagyD/SDLPoP
* License : GPL-3+
Programming Lang: C
Description : SDL port of the classic Prince
Package: debmirror
Version: 1:2.33
Followup-For: Bug #961197
I think this patch will fix the problem...
--- debmirror~ 2020-05-25 22:33:49.328041109 -0700
+++ debmirror 2020-05-25 22:32:12.255722606 -0700
@@ -2326,6 +2326,8 @@
push (@errlog,$@);
$num_errors++;
}
+
Package: debmirror
Version: 1:2.33
Followup-For: Bug #625696
This needs fixing for security.debian.org. Right now I'm forced to use
"--rsync-extra none" which seems sub-optimal. :)
nds on
CONFIG_SECCOMP_FILTER.
--
Kees Cook@debian.org
On Sat, Mar 14, 2020 at 06:56:30PM +, Scott Kitterman wrote:
>
>
> On March 14, 2020 12:14:48 PM UTC, Guillem Jover wrote:
> >Hi!
> >
> >On Fri, 2020-03-06 at 20:43:05 -0800, Kees Cook wrote:
> >> Package: ftp.debian.org
> >> Severity: normal
&g
Package: ftp.debian.org
Severity: normal
Thanks!
Package: ftp.debian.org
Severity: normal
Thanks!
Package: ftp.debian.org
Severity: normal
Please remove jirc. :)
Thanks!
Package: scantool
Version: 1.21+dfsg-7
Severity: normal
Tags: patch
Instead of masking the ttyUSB* behind the dzcomm "COM*" names, add
support for native Linux serial port handling. This patch appears
to be from Ubuntu Forums user "jlac":
https://ubuntuforums.org/showthread.php?t=901550&page=4&hi
tag 907268 patch
thanks
The attached patch fixes LIRC for me...
--
Kees Cook@debian.org
diff -Nru xine-ui-0.99.9/debian/changelog xine-ui-0.99.9/debian/changelog
--- xine-ui-0.99.9/debian/changelog 2017-01-21 19:12:02.0 -0800
+++ xine-ui
Package: devscripts
Version: 2.17.12ubuntu1
Severity: normal
File: /usr/bin/hardening-check
Tags: patch
Dear Maintainer,
When hardening-check runs "readelf", it's possible that a large stderr
will fill the internal pipe before readelf exits, blocking the process
forever. This can happen with thin
cs for PROT_EXEC on subprofiles.
> A diff between the profile in the 16.01 Ubuntu package and current HEAD (for
> 16.09) is attached, could you try out that one instead?
I've tried the diff but the problem remains: I still need "m" on the su in the
su
subprofile.
Th
Fix attached...
--
Kees Cook@debian.org
diff -Nru ejabberd-16.09/debian/changelog ejabberd-16.09/debian/changelog
--- ejabberd-16.09/debian/changelog 2017-02-05 04:19:29.0 -0800
+++ ejabberd-16.09/debian/changelog 2017-04-22 07:24
Package: ejabberd
Version: 16.01-2
Severity: normal
Hello!
It looks like the apparmor profile for ejabberdctl's exec of "su" is
missing the "m" permission for the binary, which causes it to fail
when run as root:
# ejabberdctl status
/usr/sbin/ejabberdctl: line 428: 21780 Segmentation fault
27;t
> know what happened with that. That said, I do not feel the tool fits
> into lintian - at least not with lintian current design.
devscripts seems fine to me if lintian doesn't want it. :)
-Kees
--
Kees Cook@debian.org
rks it as deprecated for quite a while now.
>
> Kees, what do you think?
Yeah, it (and hardening-includes) should get removed in favor of
the dpkg-buildflags method. However, this means we need to move the
"hardening-check" script from hardening-includes to lint
This is a kernel bug, not a dosemu bug. Please see:
https://lkml.org/lkml/2015/8/13/435
--
Kees Cook@debian.org
(lists
of syscalls), and environment-ignoring: it just calls gcc directly --
is that how autopkgtests should be doing builds?
Thanks!
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
es libseccomp-dev files in /usr/lib)?
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
=10544
This was fixed in Gnome upstream and in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/714958
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/724285
The attached patch likely needs the dbus names changed to, e.g.,
"org.mate.ScreenSaver".
Thanks!
-Kees
--
nce Jessie will ship at least 3.16, I think it would be a
good change to backport.
> 2) Has it been submitted upstream?
I have not, no.
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debia
Here's an updated patch with proper headers. :)
Also, for background on the solution, see:
http://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-so_linger-page-or-why-is-my-tcp-not-reliable
--
Kees Cook@debian.org
Description: it is possibl
connection.
-Kees
--
Kees Cook@debian.org
Index: cyrus-sasl2-2.1.26.dfsg1/saslauthd/ipc_unix.c
===
--- cyrus-sasl2-2.1.26.dfsg1.orig/saslauthd/ipc_unix.c 2012-01-27 15:31:36.0 -0800
+++ c
#x27;__stack_chk_fail_local'}))) {
> good($name, "yes")
> }
>
> Regards,
>Alex
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
hell: /bin/sh linked to /bin/dash
Versions of packages cpio depends on:
ii libc6 2.19-0ubuntu6.3
cpio recommends no packages.
Versions of packages cpio suggests:
ii libarchive1 2.8.5-5
-- no debconf information
Description: Identify how to perform "fast erase" operations on devices tha
Upload approved in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750699
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Yay! I was able to convince upstream to do a micro release, so now the
delta is tiny. I've attached the new debdiff, which shows just the cert
chain and algo updates, with user agent reporting for their end. Much much
better.
-Kees
--
Kees
Potential patch ...
--
Kees Cook@debian.org
Description: pass through exit codes when possible, otherwise report
failure and full waitpid status and exit with a failure.
Author: Kees Cook
Index: faketime-0.9.5/src/faketime.c
Package: faketime
Version: 0.9.5-2
Severity: normal
The "faketime" tool does not pass the error code of the child process:
$ /bin/false
$ echo $?
1
$ faketime "+1 day" /bin/false
$ echo $?
0
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trus
> passes my review and tests (which I trust, given how good Damyan's
> work usually is). My goal here is to help the perl maintainers deal
> with the transition to 5.20. What do you think?
Yeah, that patch looks fine. Thanks!
-Kees
--
Kees Cook
oposed update to
> debian/watch (#738531) while I'm at it. Thoughts?
That'd be great, yes.
> Of course, it would be preferable to upload 2.8.3 instead, and fix
> these bugs at the same time :)
I've seen some reports that 2.8.3 has issues with the apache
Severity: serious
This breaks SMTP TLS connections to debian.org when the client presents
a sha512 cert:
^ grep confSERVER_CERT /etc/mail/sendmail.mc
define(`confSERVER_CERT',`/etc/ssl/certs/smtp-cert.pem')dnl
$ openssl x509 -text -noout -in /etc/ssl/certs/smtp-cert.pem | grep 'Signature
Algori
On Thu, Jan 16, 2014 at 02:59:54PM -0800, John Johansen wrote:
> On 01/16/2014 02:57 PM, John Johansen wrote:
> > On 01/16/2014 02:49 PM, Kees Cook wrote:
> >> On Thu, Jan 16, 2014 at 07:37:04PM +0100, Didier 'OdyX' Raboud wrote:
> >>> Le jeudi, 1
e end up doing very
CPU expensive work for no reason. The point of dh-apparmor is to reload a
single profile, not all of them. Doing a trigger for all-profile reload
isn't something we want. Think of the situation where someone has 5000
apache virtual host profiles and they update cups. We ne
exactly what you
> want.
Per-policy reloads must happen before a daemon restarts, so they cannot be
triggers.
All-policy reloads should be avoided entirely, so they shouldn't be
triggers either. :)
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
h problems
> in the future.
I will try to reproduce this with parallel=5 (I've used =4), and chase any
resulting bug upstream.
Thanks for finding this!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
ort the FTBFS separately.
After fixing the bison3-induced FTBFS, I still can't reproduce this i386
build problem. I'm uploading again now, and will see what the buildds
produce...
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to
I'm not sure what's happening here. Running without an AAHatName should
result in a hat name of "DEFAULT_URI". Try setting AAHatName in your
top-level apache configuration?
This likely needs to be reported upstream.
--
Kees Cook
On Mon, Oct 07, 2013 at 01:08:44AM +0200, Bastian Blank wrote:
> On Sun, Oct 06, 2013 at 03:47:10PM -0700, Kees Cook wrote:
> > I don't want to ship a static library for libseccomp unless there is a
> > demonstrated requirement to do it.
>
> I'm thinking about
ess there is a
demonstrated requirement to do it. Given that this is a security-sensitive
library, I want to actively discourage any kind of static linking.
(This policy has already uncovered bugs in things like qemu.)
-Kees
--
Kees Cook@debian.org
--
I'm open to suggestions on how to accomplish this. Unfortunately, I don't
know of a reliable way for the optimization level of an ELF to be
discovered.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.
SASSL daemons on localhost and my primary
interface. With the addition of IPv6, this pushes me to 12 combinations
of listeners.
I suggest raising this seemingly arbitrary limit to much larger. Please see
attached patch.
Thanks!
-Kees
--
Kees Cook@debia
good default, and if specific system owners don't want it
enabled, they can choose to turn it off in /etc/sysctl.d/, just like other
things.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with
6-only by definition I'd agree that it's a bug,
> but since it's not the case, I'm not sure why you closed it.
At the moment, libseccomp is closely tied to building only on architectures
that support seccomp. As those architectures are added, I'll be adding mor
for now. I can imagine situations where this might come
up (some init implementation being written static and wanting libseccomp),
so when that shows up, we can close this bug then. In the meantime, I'll
keep resisting. :)
> Thanks, also for finding a bug in qemu
seccomp mode 2 (which is what libseccomp works with) is only supported on
x86. ARM support will be added in kernel version 3.8.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of
I would strongly prefer to avoid shipping a static library for this package
to avoid programs linking to this non-dynamically, especially since it
makes security updates more difficult to track. Do you have a compelling
need for this?
-Kees
--
Kees Cook
tunately requires DOS to build (yay batch files), and the
amount of work to get it building from source is huge. Te DOSEMU folks
already did this work, and since the source is not changing, there is no
reason to do rebuilds.
I'll add a note to the copyrigh
m.
Thanks,
-Kees
--
Kees Cook@debian.org
Description: setting "backoff-cutoff 0;" in dhclient.conf will cause
dhclient to divide by zero and crash. It should be handled more
gracefully.
Author: Kees Cook
Index: isc-dhcp-4.2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception
Please unblock package libseccomp
libseccomp just released their 1.0.0 version which has ABI changes over the
earlier 0.1.0 release. This is a new library and no packages in Debian
Argh, the body should say "Version 2.7.103-4 contains fixes for ..."
^
EMOARCOFFEE
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a
d directories we might collide
+with apparmor on during purge.
+ * debian/patches/fix-network-rule-support.patch: handle lack of
+networking features correctly (Closes: 679597).
+
+ -- Kees Cook Mon, 16 Jul 2012 11:52:42 -0700
+
apparmor (2.7.103-3) unstable; urgency=low
* debian/cont
nclude it now, thanks for catching that!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
and
CAP_SYS_RAWIO) before the system init starts.
Thanks,
-Kees
--
Kees Cook@debian.org
diff -Nru initramfs-tools-0.106/debian/changelog
initramfs-tools-0.107~0kees1/debian/changelog
--- initramfs-tools-0.106/debian/changelog 2012-06-07
ave to be
> applied
>
> If the networking patch is applied
> these two patches can be applied or ignored, 0001 will be folded into the
> compat
> interface patch upstream, and then 0002 will be folded into the networking
> patch
> 0001-apparmor-remove-advertising-the-support-of-network-r.patch
> 0002-apparmor-Advertise-network-mediation-from-the-compat.patch
>
> these two patches address the two bugs pointed out in the networking patch
> 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
> 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
My preference would be to apply the networking patch, along with 0003
and 0004 posted here.
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Hi Dererk,
On Fri, Jun 22, 2012 at 01:49:32PM -0300, Dererk wrote:
> What do you think about switching "if type aa-status" for a "if [ -x
> /usr/sbin/aa-status ]" instead?
Yeah, this seems like the best solution. I'll get this fixed
Does this happen with the recent upload with the r2080 snapshot?
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Hi Ben,
On Tue, Jun 05, 2012 at 08:43:21PM +0100, Ben Hutchings wrote:
> On Tue, 2012-06-05 at 11:07 -0700, Kees Cook wrote:
> > Package: wnpp
> > Severity: wishlist
> > Owner: Kees Cook
> >
> > * Package name: libseccomp
> > Version : 0
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: libseccomp
Version : 0.1.0
Upstream Author : Paul Moore
* URL : https://sourceforge.net/projects/libseccomp/
* License : LGPLv2
Programming Lang: C
Description : High level interface to
ect.
> > The return code is changed in Reset_handle_clone function.
> > As a fix, just setting is_not_genuine_scan_tool=FALSE makes it usable.
Does changing both work as well? It seems like sending RESET_CLOSE_DIALOG
isn't right either, based on the state machine that sets
RESET_HANDLE_C
used, it should mark it safe. However, I believe Kees
> (CC'ed) can correct me on (or confirm) the above.
Correct. If none of the functions are found, it passes. If there is a mix
of protected and unprotected, it passes. If only protected are found, it
passes. If only unprotected are fo
Thanks for the testing and details. I've got the needed changes staged
in experimental now.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble?
efore the
main AppArmor init script runs.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
our limited resources on more critical targets.
There's not reason to drop the binary package. Once apache2.4 is in
unstable, we can just update the pieces. In the meantime, I can prepare
an upload in experimental.
--
Kees Cook@debian.org
--
To UNSU
rch.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
's not "certain", for sure, but it doesn't seem
like what I'd think of as a "wild-guess". In practice, if its behavior
is more like the "wild-guess" checks, then it would make sense to drop
it to that level.
Perhaps we should examine some subset of the archive t
> """
> # The original shell script version of this script is
> # Copyright (C) 1998 Christian Schwarz
> #
> # The objdump version, including support for etch's binutils, is
> # Copyright (C) 2008 Adam D. Barratt
> #
> # This version, a trimmed-down wrapp
ining item is:
+ revise tag certainty and description:
- overrides (we can't do much about FP etc.)
What is needed for this? Should I expand the descriptions more? Or was
there something else?
Thanks!
-Kees
--
Kees Cook@debian.org
>
)
Read-only relocations: yes
Immediate binding: no not found!
It looks like the LDFLAGS are not being passed to the build.
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject
the data file idea, I
think I might do the same for hardening-check and have it build the list of
functions at build-time. I can check if a binary is using libc without
running ldd, and I only needed ldd to generate the function list dynamically.
If it's static,
Hello,
The attached patches are needed in libcaca and toilet to fix
rendering width when specifying the -w option in toilet. For
users of figfont that do not set up a terminal width in their
canvas first, I've left the old default of 80 characters.
Thanks,
-Kees
--
Kees
On Tue, Mar 06, 2012 at 11:36:42AM -0800, Russ Allbery wrote:
> Kees Cook writes:
>
> > Okay. In that case, I think the work needs to be broken into several pieces:
>
> > - make lintian work for wheezy (but disable internal tests for hardening)
>
> A better way th
Hi Russ,
On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
> Kees Cook writes:
>
> > This was the big problem. I spent a lot of time trying to see how bad it
> > would be to fix every build in the testsuite to DTRT with respect to
> > dpkg-buildflags, but it
On Tue, Mar 06, 2012 at 06:36:07PM +0100, Niels Thykier wrote:
> On 2012-03-06 01:58, Kees Cook wrote:
> > Right -- though I have no way around this. All the pieces needed for
> > these checks come from the new dpkg-buildflags. Perhaps the hardening
> > check can be disa
On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
> On 2012-03-05 04:47, Kees Cook wrote:
> > - It requires the lastest dpkg-dev (still in experimental) to get
> > the dpkg-buildflags that supports --query-features.
>
> Unfortunately I see two issues here.
nerate the "tags" file on the fly for a test.
Doing manual testing shows that building, for example, the "hello"
package as-is triggers appropriate warnings, and when I fix the "hello"
package to import the dpkg-buildflags correctly, the lintian wa
> > Immediate binding: no not found!
> >
> > so if there's a failure here, it seems to be somewhere inside g++, or a
> > need to include more than just -D_FORTIFY_SOURCE=2 to enable this.
>
> Hmm, I'm not sure what's wrong here.
First of all, in debian
On Wed, Jan 11, 2012 at 03:12:39PM -0700, Bdale Garbee wrote:
> On Sun, 11 Sep 2011 11:14:39 -0700, Kees Cook wrote:
> > Package: sudo
> > Version: 1.7.4p6-1
> > Severity: normal
> > Tags: patch
> > User: ubuntu-de...@lists.ubuntu.com
> > Usertags: origin-u
n't be in mainline, right. Carrying the compat
patch in the Debian kernel would be nice, but I'd like to see this all
solved correctly.
In the meantime, the tool emit the warning.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to
On Thu, Dec 29, 2011 at 04:14:47AM +0100, Guillem Jover wrote:
> On Wed, 2011-12-28 at 15:28:45 -0800, Kees Cook wrote:
> > On Sun, Dec 18, 2011 at 09:42:50AM +0100, Guillem Jover wrote:
> > > On Fri, 2011-12-16 at 16:39:25 -0800, Kees Cook wrote:
> >
Hi Guillem,
On Sun, Dec 18, 2011 at 09:42:50AM +0100, Guillem Jover wrote:
> On Fri, 2011-12-16 at 16:39:25 -0800, Kees Cook wrote:
> > Fresh patch attached! :)
>
> Thanks! Could you split the refactoring/cleaning into its own patch
> (actually something that already crossed
(or whatever name pleases you), including dh_apparmor
> in it, and then ask on -devel who is looking for a home for orphan dh_*
> scripts.
If there's no other scripts, I could just toss it into the apparmor package
too. Gergely, let me know how you'd like me to handle it. I'm fin
uot; of the dh_* tools is considered stable and exportable, I have
no problem with this. If debhelper will change its "ABI" in the future,
then this separate package is going to be a pain to maintain.
-Kees
--
Kees Cook@debian.org
--
To UNS
Package: libgphoto2
Version: 2.4.11-3.1
Severity: normal
Tags: patch
Hello!
In an effort to reach the Multi-Arch release goal, here is a patch to
build libgphoto2 for Multi-Arch, along with a few other subtle fixes. :)
Thanks!
-Kees
--
Kees Cook
Package: libcap2
Version: 1:2.22-1
Severity: normal
Tags: patch
Hi!
In support of the Multi-Arch release goal, here is a patch that builds
libcap2 to be Multi-Arch installable, which includes splitting the PAM
module into a separate package.
Thanks!
-Kees
--
Kees Cook
Package: libgd2
Version: 2.0.36~rc1~dfsg-6
Severity: normal
Tags: patch
Hi!
The attached patch provides the changes needed to build with Multi-Arch
support, and removes the shipped .la files completely. Both are in support
of their respective release goals.
Thanks,
-Kees
--
Kees Cook
On Fri, Dec 16, 2011 at 09:25:10AM +0100, Raphael Hertzog wrote:
> On Thu, 15 Dec 2011, Kees Cook wrote:
> > While doing this, it seemed that creating a full "set_feature()" callback
> > was more work than it needed to be. I can certainly add it, but I thought
> > I&
Hi Raphael,
On Fri, Dec 09, 2011 at 12:02:21PM +0100, Raphael Hertzog wrote:
> On Thu, 08 Dec 2011, Kees Cook wrote:
> > This patch adds that ability, and lets the environment correctly adjust it:
> >
> > $ dpkg-buildflags --features hardening
> > -bindnow,+
ev doesn't ship any shared objects, it doesn't need the
Pre-Depends, but yes, everything else was in the wiped-out control file. :)
Thanks!
-Kees
--
Kees Cook@debian.org
diff -Nru libproxy-0.3.1/debian/changelog libproxy-0.3.1/debian/changelog
native library perspective
> in run time.
>
> To get this, is the use of dpkg-architecture best way or simpler way.
I would use DEB_HOST_MULTIARCH during the build to hardcode it into
the program, which is what is already done for things like ibus-daemon
via the buil
On Fri, Dec 09, 2011 at 02:27:25PM -0400, Joey Hess wrote:
> Kees Cook wrote:
> > Uhm, it wasn't something that made sense to forward to Debian until now,
> > since it would have had nearly zero value without the apparmor package
> > existing in Debian.
>
> In othe
On Fri, Dec 09, 2011 at 09:27:18AM +0100, Alexander Reichle-Schmehl wrote:
> Am 08.12.2011 23:40, schrieb Kees Cook:
> >> Backporting concerns and output stability:
> >> ==
> >>
> >> Both the FTP-masters and Lin
to examine its environment from
only the native library perspective. At least that is my understanding of
the logic in that script.
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Package: libproxy
Version: 0.3.1-4
Severity: normal
Tags: patch
Hello,
This patch provides support for Multi-Arch for the release goal.
Thanks,
-Kees
--
Kees Cook@debian.org
diff -Nru libproxy-0.3.1/debian/changelog libproxy-0.3.1/debian/changelog
Package: ibus
Version: 1.4.0-2
Severity: normal
Tags: patch
Hello!
This patch provides full Multi-Arch support for ibus and the libraries and
plugins it ships.
Thanks!
-Kees
--
Kees Cook@debian.org
diff -Nru ibus-1.4.0/debian/changelog ibus-1.4.0
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650536
--
Kees Cook@debian.org
>From 8a8a1414ad6cac4d22ca732eaa9e14f802e82e29 Mon Sep 17 00:00:00 2001
From: Kees Cook
Date: Thu, 8 Dec 2011 15:53:14 -0800
Subject: [PATCH] dpkg-buildflags: provide feature
The modified .install file must be made executable now (this does not show
up in the diff).
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Conta
1 - 100 of 541 matches
Mail list logo
