Bug#650536: update!

To: Niels Thykier <niels@thykier.net>
Cc: 650536@bugs.debian.org
Subject: Bug#650536: update!
From: Kees Cook <kees@debian.org>
Date: Mon, 5 Mar 2012 16:58:52 -0800
Message-id: <[🔎] 20120306005852.GV3990@outflux.net>
Reply-to: Kees Cook <kees@debian.org>, 650536@bugs.debian.org
In-reply-to: <[🔎] 4F54959A.7050000@thykier.net>
References: <[🔎] 20120305034753.GP3990@outflux.net> <[🔎] 4F54959A.7050000@thykier.net>

On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
> On 2012-03-05 04:47, Kees Cook wrote:
> > - It requires the lastest dpkg-dev (still in experimental) to get
> >   the dpkg-buildflags that supports --query-features.
> 
> Unfortunately I see two issues here.  First, we have been asked to avoid
> the unconditional dpkg-dev dependency (see #626476).  Perhaps we can use
> libdpkg-perl as a fall-back in this case (like we do in
> collection/unpacked).

Hrm, well, as long as dpkg-buildflags is the right one, I don't care
what the Depends say. ;)

> The second problem is that the given version of dpkg-dev is not in
> stable[1] and (as I recall) the backport FTP masters were not too happy
> with the last backport.
> 
> [1] It is not in unstable either, but at this point I am more concerned
> with getting it in stable.
> 

Right -- though I have no way around this. All the pieces needed for
these checks come from the new dpkg-buildflags. Perhaps the hardening
check can be disabled for the backport, since it's rather meaningless
for stable anyway?

> > - The hardening checker checks if it is running as part of the
> >   internal test suite, so that it is disabled for all tests except
> >   its own, since the bulk of the internal tests do not build with
> >   hardening flags, and only for i386 and amd64 since there isn't
> >   a sane way to generate the "tags" file on the fly for a test.
> > 
> 
> To be honest I do not like the idea of Lintian checks/collections
> behaving differently during tests.
>   I suppose we could a make """sane way to generate the "tags" file""".
>  We already have several hooks in the test suite, adding another one
> should not be a great issue.

I could write a hook the generate the tags file on the fly, but that
only handles the per-arch limitation of the internal test for the
hardening checker.

> Though, we only want hardening tags emitted in a selected few tests...

This was the big problem. I spent a lot of time trying to see how bad
it would be to fix every build in the testsuite to DTRT with respect
to dpkg-buildflags, but it was a losing battle. Or, at least, a tedious
battle.  Ultimately I decided it was better to just have the hardening
checker disable itself in the face of the other tests.

I'm open to ideas for this part, but a lot of the test builds don't pass
all the needed flags, or hard code flags, etc etc. Changing the compat
level worked for many of the failures, but not all and left about 30
that still needed to be changed by hand. If it's important to do this
strictly correct, I can, it'll just take me a while.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Bug#650536: update!
  - From: Niels Thykier <niels@thykier.net>
- Bug#650536: update!
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#650536: update!
  - From: Kees Cook <kees@debian.org>
- Bug#650536: update!
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: lintian 2.5.5 MIGRATED to testing
Next by Date: Bug#650536: update!
Previous by thread: Bug#650536: update!
Next by thread: Bug#650536: update!
Index(es):
- Date
- Thread