Re: Enabling hardened build flags for Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Charles Plessy <plessy@debian.org>
Date: Tue, 1 May 2012 07:39:54 +0900
Message-id: <[🔎] 20120430223954.GD17085@falafel.plessy.net>
In-reply-to: <[🔎] 87y5pdb694.fsf@windlord.stanford.edu>
References: <[🔎] 87y5pdb694.fsf@windlord.stanford.edu>

Le Mon, Apr 30, 2012 at 08:15:35AM -0700, Russ Allbery a écrit :
> Charles Plessy <plessy@debian.org> writes:
> 
> > The problem is: who wants to support what and what for ?  I thought that
> > the release goal was to harden Debian, not to fine-grain makefiles in
> > general.
> 
> > What I see here is a system that is generous of other people's time.
> 
> I would have assumed you would just add CPPFLAGS, CFLAGS, and LDFLAGS from
> dpkg-buildflags to CFLAGS in your package if that's how your build system
> works and be done.  In other words, debian/rules code like:
> 
>     include /usr/share/dpkg/buildflags.mk
> 
>     override_dh_autobuild:
>             make CFLAGS="$(CPPFLAGS) $(CFLAGS) $(LDFLAGS)"
> 
> This seems only marginally more difficult than a typical package only
> because you'll have to invoke dpkg-buildflags yourself and can't just use
> dh, but I can't imagine this taking more than five to ten minutes in
> debian/rules unless something very strange is going on.
> 
> And yet, this clearly must not be correct, since you're talking about
> sending Makefile patches upstream and are upset about having your time
> wasted.  What am I missing?

Hi Russ,

all our packages include a way to pass build flags to the upstream build
system, in order to implement features such as DEB_BUILD_OPTIONS=noopt.  It
would have been trivial to pass the hardening flags automatically through the
same communication channel.

Unfortunately, the hardening build flags have been split in three variables.
To make sure they are passed correctly, either the upstream makefiles have to
be modified, or debian/rules has to be modified.  Why couldn't we design a
solution that does not require these modifications except for corner cases ?
It does not matter that they are trivial, the point is that if most C programs
need to have the same override in debian/rules, it feels that there is
something wrong.

(For the patches, I am getting them through the BTS, and I would feel too
unwelcoming to just throw them away).

Have a nice day,

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan

Reply to:

Follow-Ups:
- Re: Enabling hardened build flags for Wheezy
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Enabling hardened build flags for Wheezy
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: non-satisfyable Recommends: in main (was Re: Bug#661329: recommends doom-wad which is only provided by non-free doom-wad-shareware)
Next by Date: Re: Enabling hardened build flags for Wheezy
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread