Bug#650536: update!
On 2012-03-05 04:47, Kees Cook wrote:
> Okay, here's the latest version. Some notes:
> 
Hi,
Thanks for the update.
> - It requires the lastest dpkg-dev (still in experimental) to get
>   the dpkg-buildflags that supports --query-features.
> 
Unfortunately I see two issues here.  First, we have been asked to avoid
the unconditional dpkg-dev dependency (see #626476).  Perhaps we can use
libdpkg-perl as a fall-back in this case (like we do in
collection/unpacked).
The second problem is that the given version of dpkg-dev is not in
stable[1] and (as I recall) the backport FTP masters were not too happy
with the last backport.
[1] It is not in unstable either, but at this point I am more concerned
with getting it in stable.
> - The hardening checker only expects the hardened features that are
>   defaulted on for the architecture of the package it is examining.
> 
Good :)
> - The hardening checker checks if it is running as part of the
>   internal test suite, so that it is disabled for all tests except
>   its own, since the bulk of the internal tests do not build with
>   hardening flags, and only for i386 and amd64 since there isn't
>   a sane way to generate the "tags" file on the fly for a test.
> 
To be honest I do not like the idea of Lintian checks/collections
behaving differently during tests.
  I suppose we could a make """sane way to generate the "tags" file""".
 We already have several hooks in the test suite, adding another one
should not be a great issue.
Though, we only want hardening tags emitted in a selected few tests...
> Doing manual testing shows that building, for example, the "hello"
> package as-is triggers appropriate warnings, and when I fix the "hello"
> package to import the dpkg-buildflags correctly, the lintian warnings
> go away. :)
> 
> -Kees
> 
~Niels
Reply to: