Bug#650536: update!
Hi Russ,
On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
> Kees Cook <kees@debian.org> writes:
>
> > This was the big problem. I spent a lot of time trying to see how bad it
> > would be to fix every build in the testsuite to DTRT with respect to
> > dpkg-buildflags, but it was a losing battle. Or, at least, a tedious
> > battle. Ultimately I decided it was better to just have the hardening
> > checker disable itself in the face of the other tests.
>
> > I'm open to ideas for this part, but a lot of the test builds don't pass
> > all the needed flags, or hard code flags, etc etc. Changing the compat
> > level worked for many of the failures, but not all and left about 30
> > that still needed to be changed by hand. If it's important to do this
> > strictly correct, I can, it'll just take me a while.
>
> The general intent of the Lintian test suite is that the packages it
> produces should be Lintian-clean except for the tags that the package is
> specifically testing (or others that are unavoidable for some reason). So
> when new requirements for Debian packages are added, as a general rule of
> thumb we want to update the test suite so that it meets those requirements
> except for those tests that are testing Lintian's tags for those
> requirements.
>
> So, this is work that does need to be done eventually, I think. That
> doesn't mean it has to be a blocker for getting the tag into Lintian,
> though.
Okay. In that case, I think the work needs to be broken into several pieces:
- make lintian work for wheezy (but disable internal tests for hardening)
- build internal hardening test for all archs (hook to generate tags file)
- fix other lintian internal tests to work with hardening check
- backport hardening check to work on squeeze
-Kees
--
Kees Cook @debian.org
Reply to: