Bug#650536: ITM: Please review hardening-support branch to fix #650536 (Was: Re: Bug#650536: update!)
On Sun, Apr 01, 2012 at 05:16:38PM +0200, Niels Thykier wrote:
> Thanks, I have pushed it to my branch (with a minor change to also update
> the Depends of lintian in d/control).
Great!
> Kees, btw, are you certain of the copyright statements in
> collection/hardening-info?
>
> """
> # The original shell script version of this script is
> # Copyright (C) 1998 Christian Schwarz
> #
> # The objdump version, including support for etch's binutils, is
> # Copyright (C) 2008 Adam D. Barratt
> #
> # This version, a trimmed-down wrapper for hardening-check, is
> # Copyright (C) 2012 Kees Cook <kees@debian.org>
> """
>
> I suspect some of it is copy-waste from collection/objdump-info...
Yeah, when collection/hardening-info started its life, it was largely
copied from objdump-info. I wasn't sure if I should drop the copy rights
from there, so I left them. If they shouldn't be there, then we can
drop them (patch attached).
> > After this patch, the TODO's single remaining item is:
> >
> > + revise tag certainty and description:
> > - overrides (we can't do much about FP etc.)
> >
> > What is needed for this? Should I expand the descriptions more? Or was
> > there something else?
> >
>
> It was mostly a reminder to myself to review them and maybe add a
> "disclaimer" on the false-positives.
Yeah, I tried to do this in the descriptions already, but maybe it
could be even more verbose. I wasn't sure to what level to get into
the details of the potential false positives. I am, of course, open to
any improvements! :)
> There was also something else, namely making the test suite able to
> handle the architecture specific nature of the hardening tags. I
> have committed some code to handle this.[0] Assuming no one objects
> to the approach, I think we are more or less good to go.
Ah! Yeah, very cool. That had totally slipped my mind.
> Optimally, Lintian would handle the architecture specific part of
> these tags better in terms of overrides so people do not have to
> maintain the archlist for their overrides. However, that can come
> in Lintian 2.5.8 or some later time (if at all).
Wouldn't overrides only be a problem if a maintainer disabled a hardening
feature on a subset of the archs that expected it to be enabled? This
seems unlikely, or maybe I've misunderstood.
> I have rebased the branch and it is now available from [1] and I
> intend to merge it into master before we do the 2.5.7 release.
> As mentioned, I have added a new test suite hook[0], which some
> may (or may not) find controversial.
>
> Assuming no comments/objections, I intend to merge the branch
> into master before the end of Easter.
Great! Thank you so much for all the help with this. :)
-Kees
--
Kees Cook @debian.org
diff --git a/collection/hardening-info b/collection/hardening-info
index b7408be..3e9c6fa 100755
--- a/collection/hardening-info
+++ b/collection/hardening-info
@@ -1,13 +1,7 @@
#!/usr/bin/perl -w
# hardening-info -- lintian collection script
-# The original shell script version of this script is
-# Copyright (C) 1998 Christian Schwarz
-#
-# The objdump version, including support for etch's binutils, is
-# Copyright (C) 2008 Adam D. Barratt
-#
-# This version, a trimmed-down wrapper for hardening-check, is
+# This trimmed-down wrapper for hardening-check is
# Copyright (C) 2012 Kees Cook <kees@debian.org>
#
# This program is free software; you can redistribute it and/or modify
Reply to: