Re: New Build-Options field and build-arch option, please review

To: Felipe Sateler <fsateler@gmail.com>
Cc: debian-dpkg@lists.debian.org, 229357@bugs.debian.org, 489771@bugs.debian.org, Bill Allombert <ballombe@debian.org>, Kees Cook <kees@outflux.net>
Subject: Re: New Build-Options field and build-arch option, please review
From: Russ Allbery <rra@debian.org>
Date: Fri, 11 Jul 2008 09:47:51 -0700
Message-id: <[🔎] 87k5fsnz9k.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20080711071041.GG17010@ouaza.com> (Raphael Hertzog's message of "Fri\, 11 Jul 2008 09\:10\:41 +0200")
References: <[🔎] 20080710220233.GA27990@ouaza.com> <[🔎] 200807101919.20662.fsateler@gmail.com> <[🔎] 20080711071041.GG17010@ouaza.com>

Raphael Hertzog <hertzog@debian.org> writes:

> Even if there's only two things, the fact is that the package maintainer
> wants not only to decide what is supported but he might also want to
> enable some features... if you check the case that I listed above, we
> also want to use Build-Options to _enable_ specific hardening
> measures. Because the maintainer knows best which hardening measures
> should be enabled. But we also want the builder to be able to override
> them for example to test if the package now supports a previously
> disabled hardening measure.

This doesn't make sense to me.  The maintainer writes debian/rules; why
would they need to change Build-Options in debian/control to enable
anything about the build?

I'd rather see Build-Options in debian/control be clearly defined as
capabilities that the package supports and not used as a substitute for
the existing DEB_BUILD_OPTIONS method of controlling what the build does
in practice.  (And I'd prefer it to be called Build-Options-Supported or
something along those lines.)  I think this still fits for #489771; the
presence of the hardening option in Build-Options-Supported indicates that
the package can usefully be built with hardening (it doesn't cause the
package build to break or the binaries to malfunction).  If the package
maintainer wants the package to always be built with those options, they
should make that change directly in debian/rules, not via this method.
They're going to have to test each flag that goes into the hardening
options separately anyway to make sure that it works (the current proposed
hardening flags break many packages, and if you follow debian/changelog
files, you'll see that many maintainers have added them blindly and then
had to roll back when they break).

Using a debian/control field to set DEB_BUILD_OPTIONS in dpkg-buildpackage
is a solution looking for a problem, IMO, and I'd rather not see that
tangled up with the much-needed problem of specifying which options a
package supports and finally dealing with the whole build-arch/build-indep
mess.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- New Build-Options field and build-arch option, please review
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: New Build-Options field and build-arch option, please review
  - From: Felipe Sateler <fsateler@gmail.com>
- Re: New Build-Options field and build-arch option, please review
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: New Build-Options field and build-arch option, please review
Next by Date: Re: New Build-Options field and build-arch option, please review
Previous by thread: Re: New Build-Options field and build-arch option, please review
Next by thread: Re: New Build-Options field and build-arch option, please review
Index(es):
- Date
- Thread