Re: Enabling hardened build flags for Wheezy
Le Mon, Apr 30, 2012 at 08:15:35AM -0700, Russ Allbery a écrit :
> Charles Plessy <firstname.lastname@example.org> writes:
> > The problem is: who wants to support what and what for ? I thought that
> > the release goal was to harden Debian, not to fine-grain makefiles in
> > general.
> > What I see here is a system that is generous of other people's time.
> I would have assumed you would just add CPPFLAGS, CFLAGS, and LDFLAGS from
> dpkg-buildflags to CFLAGS in your package if that's how your build system
> works and be done. In other words, debian/rules code like:
> include /usr/share/dpkg/buildflags.mk
> make CFLAGS="$(CPPFLAGS) $(CFLAGS) $(LDFLAGS)"
> This seems only marginally more difficult than a typical package only
> because you'll have to invoke dpkg-buildflags yourself and can't just use
> dh, but I can't imagine this taking more than five to ten minutes in
> debian/rules unless something very strange is going on.
> And yet, this clearly must not be correct, since you're talking about
> sending Makefile patches upstream and are upset about having your time
> wasted. What am I missing?
all our packages include a way to pass build flags to the upstream build
system, in order to implement features such as DEB_BUILD_OPTIONS=noopt. It
would have been trivial to pass the hardening flags automatically through the
same communication channel.
Unfortunately, the hardening build flags have been split in three variables.
To make sure they are passed correctly, either the upstream makefiles have to
be modified, or debian/rules has to be modified. Why couldn't we design a
solution that does not require these modifications except for corner cases ?
It does not matter that they are trivial, the point is that if most C programs
need to have the same override in debian/rules, it feels that there is
(For the patches, I am getting them through the BTS, and I would feel too
unwelcoming to just throw them away).
Have a nice day,
Debian Med packaging team,
Tsurumi, Kanagawa, Japan