Bug#650536: Please add a lintian test for missing hardened build flags
Package: lintian
Version: 2.5.3
Severity: wishlist
As you're most likely well-aware hardened build flags are a release
goal for Wheezy:
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
Please create a lintian test for packages, which don't enable
hardened build flags yet. Otherwise we'll lack some momentum
in converting to hardened build flags.
I lack the time and lintian know-how to write a test myself, but
I'll try to outline the requirements as good as possible. Please
let me know if you need any additional information!
- It only needs to apply to packages implemented in C or C++
(a dep on libc6 is likely the best way to detect this?)
- Most of the work is already done by the script hardening-check
shipped in the hardening-includes package. Maybe you can simply
depend on it, since it's really tiny. Here's an example run for
exim4:
jmm@pisco:~$ hardening-check /usr/sbin/exim4
/usr/sbin/exim4:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
The options, which are satisfied by dpkg-buildflags are "Stack protected",
"Fortify Source functions" and "Read-only relocations".
- Note, there's a chance of mis-detections for -fstack-protector
and D_FORTIFY_SOURCE in the case of programs, which don't use any
of the protected functions. I don't have numbers on this, but this
is a good use for a lintian override, I suppose.
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages lintian depends on:
ii binutils 2.21.90.20111025-1
ii bzip2 1.0.5-7
ii diffstat 1.54-1
ii file 5.09-2
ii gettext 0.18.1.1-5
ii intltool-debian 0.35.0+20060710.1
ii libapt-pkg-perl 0.1.25
ii libclass-accessor-perl 0.34-1
ii libdpkg-perl 1.16.1.1
ii libemail-valid-perl 0.185-1
ii libipc-run-perl 0.90-1
ii libparse-debianchangelog-perl 1.2.0-1
ii libtimedate-perl 1.2000-1
ii liburi-perl 1.59-1
ii locales 2.13-21
ii man-db 2.6.0.2-3
ii patchutils 0.3.2-1
ii perl [libdigest-sha-perl] 5.12.4-6
ii unzip 6.0-5
lintian recommends no packages.
Versions of packages lintian suggests:
ii binutils-multiarch <none>
ii dpkg-dev 1.16.1.1
ii libhtml-parser-perl 3.69-1
ii libtext-template-perl <none>
ii man-db 2.6.0.2-3
ii xz-utils 5.1.1alpha+20110809-3
-- no debconf information
Reply to: