Re: Lintian warning hardening-no-stackprotector although compiled with hardening options

[Russ Allbery <rra@debian.org>]

Daniel Leidert <daniel.leidert.spam@gmx.net> writes:

> The html-xml-utils package contains a bunch of small helper programs.
> I've chosen dh 9 compatibility level recently to enable hardening.
> However, I still get lintian warnings for 3 binaries. However all
> binaries are compiled and linked with the same flags. The only
> difference I see is, that the 3 binaries in question are made of only
> one object file, whereas all other binaries are linked together by two
> or more object files.

> So why does lintian give me those warnings and how can it be fixed?

I think we may have to disable that check.  There are just too many false
positives.  Stack protection only happens if you allocate "large"
character arrays off the stack, and a lot of software just doesn't do
that.  (One could argue that doing so is frequently bad coding style
compared to using dynamically allocated memory from the start.  While not
all software that does this has arbitrary limits on things like input line
sizes, a lot of it does.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>