Bug#650536: update!

To: Niels Thykier <niels@thykier.net>
Cc: 650536@bugs.debian.org
Subject: Bug#650536: update!
From: Kees Cook <kees@debian.org>
Date: Sun, 11 Mar 2012 05:37:52 -0700
Message-id: <[🔎] 20120311123752.GB4432@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 650536@bugs.debian.org
In-reply-to: <[🔎] 4F5BE0B9.3000502@thykier.net>
References: <[🔎] 20120305034753.GP3990@outflux.net> <[🔎] 4F54959A.7050000@thykier.net> <[🔎] 20120306005852.GV3990@outflux.net> <[🔎] 87mx7t4n6o.fsf@windlord.stanford.edu> <[🔎] 20120306192641.GY3990@outflux.net> <[🔎] 4F5BE0B9.3000502@thykier.net>

On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
> I have bumped the debhelper standard test suite to use compat 9 by
> default.  I doubt it will fix all the failures we saw, but at least the
> standard flags are enabled by default.

When I was playing with it, this solved a lot but not all of them. Doesn't
this pose an unbackportable change though? I didn't think compat 9
existed in Squeeze.

> > - make lintian work for wheezy (but disable internal tests for hardening)
> > - backport hardening check to work on squeeze
> 
> I just finished a patch that solves these two.  I made a data file that
> is trivial to regenerate/update using private/refresh-archs (requiring
> dpkg-dev from experimental or newer).  It also removes the need for
> dpkg-dev at runtime.  :)
>   I know you had some concerns about using data files, but I honestly
> think they will be the easiest way to solve the backportability problem.
>  Since we can use dpkg-buildflags to regenerate it automatically, it
> should be trivial to keep it in sync.

I think you've convinced me about the data files. The options shouldn't be
changing terribly frequently.

> It also solves one of the test errors as dpkg-buildflags does not handle
> invalid architectures too well.

True.

> > - build internal hardening test for all archs (hook to generate tags file)
> > - fix other lintian internal tests to work with hardening check
> 
> This part still needs some work though.
> 
> I suspect it might be a good idea to try the test suite on some
> different architectures at some point.  These

Cool, I'll spend some time on the branch getting any stragglers building
correctly.

> Last I checked we still have an "outstanding issue" hardening-check
> using ldd, which I am not certain will work with "foreign" binaries (see
> comment #39).  I suspect it will mostly affect people who do
> cross-builds and lintian.d.o[2].

Yeah, I was just starting to notice this. Inspired by the data file idea, I
think I might do the same for hardening-check and have it build the list of
functions at build-time. I can check if a binary is using libc without
running ldd, and I only needed ldd to generate the function list dynamically.
If it's static, things are faster and more portable. It'll just need updating
from time to time when anything major happens with eglibc.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Bug#650536: update!
  - From: Niels Thykier <niels@thykier.net>

References:
- Bug#650536: update!
  - From: Kees Cook <kees@debian.org>
- Bug#650536: update!
  - From: Niels Thykier <niels@thykier.net>
- Bug#650536: update!
  - From: Kees Cook <kees@debian.org>
- Bug#650536: update!
  - From: Russ Allbery <rra@debian.org>
- Bug#650536: update!
  - From: Kees Cook <kees@debian.org>
- Bug#650536: update!
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Processed: Re: Bug#662936: Add check for /usr/lib/php5/<version>/<component>.so and missing phpapi-<version>
Next by Date: Bug#663459: should depend on locales
Previous by thread: Bug#650536: update!
Next by thread: Bug#650536: update!
Index(es):
- Date
- Thread