Bug#673112: lintian: hardening-no-stackprotector check has many false positives

[Sven Joachim <svenjoac@gmx.de>]

On 2012-05-18 22:34 +0200, Russ Allbery wrote:

> Ralf Jung <post@ralfj.de> writes:
>
>> I'd like to extend this to hardening-no-fortify-functions: My package
>> definitely has -D_FORTIFY_SOURCE=2 set (an excerpt from the build flags:
>> "-fstack-protector --param=ssp-buffer-size=4 -Wformat
>> -Werror=format-security -D_FORTIFY_SOURCE=2"), but I get a
>> hardening-no-stackprotector and hardening- no-fortify-functions for its
>> only binary.
>
> False positives for _FORTIFY_SOURCE are somewhat rarer, and that one is
> much easier to miss applying due to the CPPFLAGS vs. CFLAGS distinction.
> My immediate inclination would be to ask people to add an override for
> false positives for it, since it's more likely that the tag is valid.

Easier said then done, how should I override this warning:

,----
| W: libncurses5: hardening-no-fortify-functions usr/lib/i386-linux-gnu/libmenu.so.5.9
`----

Using the output verbatim only works for one architecture and generates
an additional problem (unused-override) for all others, substituting
${DEB_HOST_MULTIARCH} at build time instead leads to
/usr/share/lintian/overrides/libncurses5 having architecture-dependent
content, breaking multiarch coinstallability.

Cheers,
       Sven