Author: ucko Date: 2012-05-11 03:32:08 +0000 (Fri, 11 May 2012) New Revision: 10820
Added: trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps Modified: trunk/packages/ncbi-blast+/trunk/debian/changelog trunk/packages/ncbi-blast+/trunk/debian/control trunk/packages/ncbi-blast+/trunk/debian/patches/series trunk/packages/ncbi-blast+/trunk/debian/rules Log: ncbi-blast+: Enable full hardening flags, introducing a small patch (use_pie_for_apps) to reflect the need to build executables and libraries differently. Modified: trunk/packages/ncbi-blast+/trunk/debian/changelog =================================================================== --- trunk/packages/ncbi-blast+/trunk/debian/changelog 2012-05-11 03:29:27 UTC (rev 10819) +++ trunk/packages/ncbi-blast+/trunk/debian/changelog 2012-05-11 03:32:08 UTC (rev 10820) @@ -10,6 +10,9 @@ - Use modern syntax for making protected base members public. - Add forward declarations as needed. * Wrap and sort build dependencies to ease maintenance thereof. + * Enable full hardening flags, introducing a small patch + (use_pie_for_apps) to reflect the need to build executables and + libraries differently. [ Andreas Tille ] * debian/control: Modernize Vcs-* fields. Modified: trunk/packages/ncbi-blast+/trunk/debian/control =================================================================== --- trunk/packages/ncbi-blast+/trunk/debian/control 2012-05-11 03:29:27 UTC (rev 10819) +++ trunk/packages/ncbi-blast+/trunk/debian/control 2012-05-11 03:32:08 UTC (rev 10820) @@ -3,6 +3,7 @@ Priority: optional Build-Depends: autotools-dev (>= 20100122), debhelper (>= 7.0.50~), + dpkg-dev (>= 1.16.1), libboost-test-dev, libbz2-dev, libc0.3-dev (>= 2.13-9~) [hurd-i386], Modified: trunk/packages/ncbi-blast+/trunk/debian/patches/series =================================================================== --- trunk/packages/ncbi-blast+/trunk/debian/patches/series 2012-05-11 03:29:27 UTC (rev 10819) +++ trunk/packages/ncbi-blast+/trunk/debian/patches/series 2012-05-11 03:32:08 UTC (rev 10820) @@ -4,3 +4,4 @@ no_multiarch_rpath wrong_path_to_touch.patch fix_gcc47_errors +use_pie_for_apps Added: trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps =================================================================== --- trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps (rev 0) +++ trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps 2012-05-11 03:32:08 UTC (rev 10820) @@ -0,0 +1,20 @@ +Subject: build executables with -fPIE, not -fPIC + +* -fPIC is only useful for shared libraries; substitute -fPIE (to be + accompanied by appropriate APP_LDFLAGS) when building executables. + +Author: Aaron M. Ucko <u...@debian.org> +Last-Update: 2012-05-10 +--- a/c++/src/build-system/Makefile.app.in ++++ b/c++/src/build-system/Makefile.app.in +@@ -24,8 +24,8 @@ + + ### C/C++ source file compilation (and maybe auto-dependencies) build rules + +-CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS) +-CFLAGS_ALL = @f_compile@ $(CFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS) ++CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS) ++CFLAGS_ALL = @f_compile@ $(CFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS) + SOURCES = @UNIX_SRC@ $(SRC) + include $(builddir)/Makefile.$(Rules) + Modified: trunk/packages/ncbi-blast+/trunk/debian/rules =================================================================== --- trunk/packages/ncbi-blast+/trunk/debian/rules 2012-05-11 03:29:27 UTC (rev 10819) +++ trunk/packages/ncbi-blast+/trunk/debian/rules 2012-05-11 03:32:08 UTC (rev 10820) @@ -7,7 +7,7 @@ DEB_CONFIGURE_EXTRA_FLAGS=--with-dll --with-mt --without-autodep \ --without-makefile-auto-update --with-flat-makefile --without-caution \ --without-dbapi --without-lzo --with-runpath=/usr/lib/ncbi-blast+ \ - --with-build-root=BUILD LDFLAGS='-Wl,--as-needed -Wl,--enable-new-dtags' + --with-build-root=BUILD proj=algo/blast/ app/ objmgr/ objtools/align_format/ objtools/blast/ # XXX - not quite right, as we get -DNDEBUG vs. -D_DEBUG @@ -17,12 +17,21 @@ DEB_CONFIGURE_EXTRA_FLAGS += --with-optimization endif +export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie + DEB_HOST_ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH) + +CFLAGS := $(shell dpkg-buildflags --get CFLAGS) +CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS) +CXXFLAGS := $(shell dpkg-buildflags --get CXXFLAGS) +LDFLAGS := $(shell dpkg-buildflags --get LDFLAGS) -Wl,--as-needed + ifneq (,$(findstring mips,$(DEB_HOST_ARCH))) -DEB_CONFIGURE_EXTRA_FLAGS += CXXFLAGS=-O FAST_CXXFLAGS=-O +CXXFLAGS := $(CXXFLAGS:-O%=-O) +DEB_CONFIGURE_EXTRA_FLAGS += FAST_CXXFLAGS=-O endif -export MAKE +export CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MAKE llp=LD_LIBRARY_PATH override_dh_auto_configure: @@ -30,7 +39,9 @@ CONFIG_SHELL=/bin/bash ./configure $(DEB_CONFIGURE_EXTRA_FLAGS) override_dh_auto_build: - cd c++/BUILD/build && make -f Makefile.flat all_projects="$(proj)" + cd c++/BUILD/build && \ + make -f Makefile.flat all_projects="$(proj)" \ + APP_LDFLAGS='-Wl,-E -fPIE -pie' override_dh_auto_test: -dh_auto_test @@ -65,7 +76,7 @@ `basename $$x .files`.module purge_sources); \ done rm -rf c++/BUILD c++/compilers/dll c++/config.log c++/Makefile - rm -f c++/src/objects/blastxml/blastxml.module + rm -f c++/configure.lineno c++/src/objects/blastxml/blastxml.module %: dh $@ -Dc++ --with autotools_dev --with quilt _______________________________________________ debian-med-commit mailing list debian-med-commit@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-med-commit