On Mon, 27 Sep 2010, Russ Allbery wrote:
> > The not-so-evident part is that I want the syntax of this field to be
> > sufficiently extensible so that we can encode more information like
> > support of hardening build flags and similar stuff that we might want to
> > know to adjust the behaviour at build time.
>
> ...it gets derailed by this feature request for Build-Features, which a
> lot of people are much more dubious about (myself, for example: I think
> hardening flags should be handled similarly to parallel build flags, not
> via Build-Features). So I think solving this problem via the
> Build-Features route is going to keep struggling as long as that's always
> closely linked to using Build-Features to change compiler flags.
Well, I don't make it a requirement to implement it right now and
the Build-Features code can certainly start with just the build-arch
stuff. But I want to make sure we gave it enough thought so that it's not
problematic later on to extend it to other similar but slightly different
needs.
But nobody has submitted acceptable code that does only this in a way
that's ready to merge for me, Bill had his own opinion on naming, syntax,
documentation and the like.
> IMO, Build-Features should declare interfaces and capabilities that the
> source package supports, not a desire for the build system to change other
> things about the build environment.
I'm not sure how you can draw a clear line here.
Supporting dpkg-buildflags to inject flags in the build process is an
interface. Building successfully (and working afterwards) when hardening
flags are injected is a "capability" or a "feature".
> I think we have a good way forward
> for handling hardening flags now with your proposal to externalize
> acquiring build flags from another program, which debian/rules can then
> invoke with appropriate options depending on what sorts of flags the
> source package wants.
We have the basic tool in place but we're far from having a clear picture
yet on how to use this to enable those hardening flags at the distro
level.
debhelper/cdbs do not offer any dpkg-buildflags support for now as far as
I know.
We have not decided how we can enable those at the distribution
level and how packages can opt-out (or opt-in).
Cheers,
--
Raphaël Hertzog ◈ Debian Developer ◈ [Flattr=20693]
Follow my Debian News ▶ http://RaphaelHertzog.com (English)
▶ http://RaphaelHertzog.fr (Français)