Bug#650536: update!
On 2012-03-06 20:26, Kees Cook wrote:
> Hi Russ,
>
> On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
>> Kees Cook <kees@debian.org> writes:
>>
Hi,
I have started an unofficial branch[1] to get something more concrete on
this. I decided to rename the tags so they had a common prefix (it
simplified the updated to t/scripts/implemented-tags.t).
>>> This was the big problem. I spent a lot of time trying to see how bad it
>>> would be to fix every build in the testsuite to DTRT with respect to
>>> dpkg-buildflags, but it was a losing battle. Or, at least, a tedious
>>> battle. Ultimately I decided it was better to just have the hardening
>>> checker disable itself in the face of the other tests.
>>
>>> I'm open to ideas for this part, but a lot of the test builds don't pass
>>> all the needed flags, or hard code flags, etc etc. Changing the compat
>>> level worked for many of the failures, but not all and left about 30
>>> that still needed to be changed by hand. If it's important to do this
>>> strictly correct, I can, it'll just take me a while.
>>
>> The general intent of the Lintian test suite is that the packages it
>> produces should be Lintian-clean except for the tags that the package is
>> specifically testing (or others that are unavoidable for some reason). So
>> when new requirements for Debian packages are added, as a general rule of
>> thumb we want to update the test suite so that it meets those requirements
>> except for those tests that are testing Lintian's tags for those
>> requirements.
>>
I have bumped the debhelper standard test suite to use compat 9 by
default. I doubt it will fix all the failures we saw, but at least the
standard flags are enabled by default.
>> So, this is work that does need to be done eventually, I think. That
>> doesn't mean it has to be a blocker for getting the tag into Lintian,
>> though.
>
> Okay. In that case, I think the work needs to be broken into several pieces:
>
> - make lintian work for wheezy (but disable internal tests for hardening)
> - backport hardening check to work on squeeze
I just finished a patch that solves these two. I made a data file that
is trivial to regenerate/update using private/refresh-archs (requiring
dpkg-dev from experimental or newer). It also removes the need for
dpkg-dev at runtime. :)
I know you had some concerns about using data files, but I honestly
think they will be the easiest way to solve the backportability problem.
Since we can use dpkg-buildflags to regenerate it automatically, it
should be trivial to keep it in sync.
It also solves one of the test errors as dpkg-buildflags does not handle
invalid architectures too well.
> - build internal hardening test for all archs (hook to generate tags file)
> - fix other lintian internal tests to work with hardening check
This part still needs some work though.
I suspect it might be a good idea to try the test suite on some
different architectures at some point. These
>
> -Kees
>
Last I checked we still have an "outstanding issue" hardening-check
using ldd, which I am not certain will work with "foreign" binaries (see
comment #39). I suspect it will mostly affect people who do
cross-builds and lintian.d.o[2].
If I recall, hardening-check falls back to assuming the binary is
"safe" for the checks needing ldd data, so we should get false-negatives
rather than false-positives in this case.
~Niels
[1]
http://anonscm.debian.org/gitweb/?p=users/nthykier/lintian.git;a=shortlog;h=refs/heads/hardening-support
[2] lintian.d.o is amd64, but it checks i386 packages.
Reply to: