On 2012-04-01 17:16, Niels Thykier wrote:
[...]
I have rebased the branch and it is now available from [1] and I
intend to merge it into master before we do the 2.5.7 release.
As mentioned, I have added a new test suite hook[0], which some
may (or may not) find controversial.
Assuming no
On Wed, Apr 04, 2012 at 11:45:38PM +0200, Niels Thykier wrote:
* Remove bindnow and nopie tags
- It was not possible to trigger them (not enabled).
I guess this is okay since we'd need to rebuild lintian to get the new
dpkg-buildflags defaults if pie was enabled for an arch.
-Kees
--
On Apr 1, 2012 17:42 Kees Cook k...@debian.org wrote:
On Sun, Apr 01, 2012 at 05:16:38PM +0200, Niels Thykier wrote:
[...]
Kees, btw, are you certain of the copyright statements in
collection/hardening-info?
# The original shell script version of this script is
# Copyright (C) 1998
On Mon, Apr 02, 2012 at 11:25:26AM +0200, Niels Thykier wrote:
No, At least the hardening-no-stackprotector can be triggered in a
perfectly safe program where the stack protector is not needed. We
worked around this in the test suite by ensuring there was a stack
that needed protection, but I
On 2012-04-02 18:28, Kees Cook wrote:
On Mon, Apr 02, 2012 at 11:25:26AM +0200, Niels Thykier wrote:
No, At least the hardening-no-stackprotector can be triggered in a
perfectly safe program where the stack protector is not needed. We
worked around this in the test suite by ensuring there was
Hi Niels,
On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
I have started an unofficial branch[1] to get something more concrete on
this. I decided to rename the tags so they had a common prefix (it
simplified the updated to t/scripts/implemented-tags.t).
Attached is a patch to
On Apr 1, 2012 09:21 Kees Cook k...@debian.org wrote:
Hi Niels,
On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
I have started an unofficial branch[1] to get something more
concrete on
this. I decided to rename the tags so they had a common prefix (it
simplified the
On Sun, Apr 01, 2012 at 05:16:38PM +0200, Niels Thykier wrote:
Thanks, I have pushed it to my branch (with a minor change to also update
the Depends of lintian in d/control).
Great!
Kees, btw, are you certain of the copyright statements in
collection/hardening-info?
# The original shell
On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
I have bumped the debhelper standard test suite to use compat 9 by
default. I doubt it will fix all the failures we saw, but at least the
standard flags are enabled by default.
When I was playing with it, this solved a lot but not
On 2012-03-11 13:37, Kees Cook wrote:
On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
I have bumped the debhelper standard test suite to use compat 9 by
default. I doubt it will fix all the failures we saw, but at least the
standard flags are enabled by default.
When I was
On 2012-03-06 20:26, Kees Cook wrote:
Hi Russ,
On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
Kees Cook k...@debian.org writes:
Hi,
I have started an unofficial branch[1] to get something more concrete on
this. I decided to rename the tags so they had a common prefix (it
On 2012-03-06 01:58, Kees Cook wrote:
On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
On 2012-03-05 04:47, Kees Cook wrote:
- It requires the lastest dpkg-dev (still in experimental) to get
the dpkg-buildflags that supports --query-features.
[...]
The second problem is that
Kees Cook k...@debian.org writes:
This was the big problem. I spent a lot of time trying to see how bad it
would be to fix every build in the testsuite to DTRT with respect to
dpkg-buildflags, but it was a losing battle. Or, at least, a tedious
battle. Ultimately I decided it was better to
On Tue, Mar 06, 2012 at 06:36:07PM +0100, Niels Thykier wrote:
On 2012-03-06 01:58, Kees Cook wrote:
Right -- though I have no way around this. All the pieces needed for
these checks come from the new dpkg-buildflags. Perhaps the hardening
check can be disabled for the backport, since it's
Kees Cook k...@debian.org writes:
On Tue, Mar 06, 2012 at 06:36:07PM +0100, Niels Thykier wrote:
Lintian.d.o, ftp-master.d.o and potentionally a lot of developers run
Lintian on a Debian/Squeeze. I suspect a static data file is better
than disabling it for Squeeze.
Oh, you mean they'll run
Hi Russ,
On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
Kees Cook k...@debian.org writes:
This was the big problem. I spent a lot of time trying to see how bad it
would be to fix every build in the testsuite to DTRT with respect to
dpkg-buildflags, but it was a losing
Kees Cook k...@debian.org writes:
Okay. In that case, I think the work needs to be broken into several pieces:
- make lintian work for wheezy (but disable internal tests for hardening)
A better way than disabling it might be to just list the expected tags
until the test cases have been
On Tue, Mar 06, 2012 at 11:36:42AM -0800, Russ Allbery wrote:
Kees Cook k...@debian.org writes:
Okay. In that case, I think the work needs to be broken into several pieces:
- make lintian work for wheezy (but disable internal tests for hardening)
A better way than disabling it might be
On 2012-03-05 04:47, Kees Cook wrote:
Okay, here's the latest version. Some notes:
Hi,
Thanks for the update.
- It requires the lastest dpkg-dev (still in experimental) to get
the dpkg-buildflags that supports --query-features.
Unfortunately I see two issues here. First, we have been
On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
On 2012-03-05 04:47, Kees Cook wrote:
- It requires the lastest dpkg-dev (still in experimental) to get
the dpkg-buildflags that supports --query-features.
Unfortunately I see two issues here. First, we have been asked to
Okay, here's the latest version. Some notes:
- It requires the lastest dpkg-dev (still in experimental) to get
the dpkg-buildflags that supports --query-features.
- The hardening checker only expects the hardened features that are
defaulted on for the architecture of the package it is
21 matches
Mail list logo
