Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
Hi,
On Wed, Jun 25, 2014 at 07:29:09PM -0400, Michael Gilbert wrote:
> Especially when some of them already export either CC=gcc-4.8 or
> CXX=g++-4.8 in debian/rules (like chromium, oxref, and spek), which
> would make it rather convenient to detect the compiler in use.
I've already touched upon this elsewhere in this thread, but my personal
feeling is that we don't want to go down that road. Detecting which
compiler is used and parsing/comparing version numbers is bound to be
fragile and require a lot of maintenance over time.
> Other packages in that set don't do that but patches could be proposed
> for those packages so they don't have this problem in the future.
If we have to touch any packages we might as well do the flag
substitution directly.
> Plus, there will be future situations like this, and if this is
> already implemented, a bunch of similar problems will be avoided. So
> in general, it's just good hygiene.
If these hypothetical future problems can be worked around just by
comparing version numbers, which is far from being a given...
I don't think that breaking 15 packages out of 10938 is a big deal, we
can patch those and move along. The rest of the archive will benefit
from stronger security. If necessary I will NMU all the affected
packages myself, with luck most of them will have moved back to the
standard GCC by the time this change makes it into sid, anyway.
Thanks,
--
Romain Francoise <rfrancoise@debian.org>
http://people.debian.org/~rfrancoise/
Reply to: