Bug#650536: update!
On 2012-03-05 04:47, Kees Cook wrote:
> Okay, here's the latest version. Some notes:
>
Hi,
Thanks for the update.
> - It requires the lastest dpkg-dev (still in experimental) to get
> the dpkg-buildflags that supports --query-features.
>
Unfortunately I see two issues here. First, we have been asked to avoid
the unconditional dpkg-dev dependency (see #626476). Perhaps we can use
libdpkg-perl as a fall-back in this case (like we do in
collection/unpacked).
The second problem is that the given version of dpkg-dev is not in
stable[1] and (as I recall) the backport FTP masters were not too happy
with the last backport.
[1] It is not in unstable either, but at this point I am more concerned
with getting it in stable.
> - The hardening checker only expects the hardened features that are
> defaulted on for the architecture of the package it is examining.
>
Good :)
> - The hardening checker checks if it is running as part of the
> internal test suite, so that it is disabled for all tests except
> its own, since the bulk of the internal tests do not build with
> hardening flags, and only for i386 and amd64 since there isn't
> a sane way to generate the "tags" file on the fly for a test.
>
To be honest I do not like the idea of Lintian checks/collections
behaving differently during tests.
I suppose we could a make """sane way to generate the "tags" file""".
We already have several hooks in the test suite, adding another one
should not be a great issue.
Though, we only want hardening tags emitted in a selected few tests...
> Doing manual testing shows that building, for example, the "hello"
> package as-is triggers appropriate warnings, and when I fix the "hello"
> package to import the dpkg-buildflags correctly, the lintian warnings
> go away. :)
>
> -Kees
>
~Niels
Reply to: