[SCM] Debian package checker branch, master, updated. 2.5.7-11-gd5dea23
The following commit has been merged in the master branch:
commit d5dea236b4e8955b0146e0d87ee3399e0467f8cc
Author: Niels Thykier <niels@thykier.net>
Date: Tue May 22 12:27:38 2012 +0200
c/binaries: demote and disable hardening-no-stackprotector
Demote hardening-no-stackprotector to a wild-guess and move it to a
separate profile (debian/extra-hardening).
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/binaries.desc b/checks/binaries.desc
index 7579484..e621a5d 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -302,7 +302,7 @@ Info: This package provides an OCaml bytecode executable linked with a
Tag: hardening-no-stackprotector
Severity: normal
-Certainty: possible
+Certainty: wild-guess
Info: This package provides an ELF binary that lacks the stack protector
function <tt>__stack_chk_fail</tt>. Either there are no character arrays used
on the stack of any routines, or the package was not built with the
diff --git a/debian/changelog b/debian/changelog
index ac804a5..703c504 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,12 @@
lintian (2.5.8) UNRELEASED; urgency=low
- * checks/binaries:
+ * checks/binaries{,.desc}:
+ [NT] Fix a too strict regex causing false-positives for
biarch packages. This was a regression introduced in
version 2.5.7. Thanks to Sven Joachim for reporting it.
(Closes: #673106)
+ + [NT] Demote certainty of hardening-no-stackprotector to
+ wild-guess and move it to debian/extra-hardening profile.
* checks/shared-libs:
+ [NT] Fix false positive "dev-pkg-without-shlib-symlink"
for shared libraries using "libtool -release X.Y".
diff --git a/private/generate-profiles.pl b/private/generate-profiles.pl
index 805e0cf..0db46bc 100755
--- a/private/generate-profiles.pl
+++ b/private/generate-profiles.pl
@@ -49,6 +49,12 @@ foreach my $dir (@dirs) {
generate_profile('debian/main', {
'Extends' => 'debian/ftp-master-auto-reject',
'Enable-Tags-From-Check' => \@checks,
+ 'Disable-Tags' => ['hardening-no-stackprotector']
+ });
+
+generate_profile('debian/extra-hardening', {
+ 'Extends' => 'debian/main',
+ 'Enable-Tags' => ['hardening-no-stackprotector']
});
generate_profile('debian/extra-apache2', {
diff --git a/profiles/debian/extra-hardening.profile b/profiles/debian/extra-hardening.profile
new file mode 100644
index 0000000..b42e5de
--- /dev/null
+++ b/profiles/debian/extra-hardening.profile
@@ -0,0 +1,5 @@
+# This profile is auto-generated
+Profile: debian/extra-hardening
+Extends: debian/main
+Enable-Tags: hardening-no-stackprotector
+
diff --git a/profiles/debian/main.profile b/profiles/debian/main.profile
index b3a39db..c49a0c5 100644
--- a/profiles/debian/main.profile
+++ b/profiles/debian/main.profile
@@ -8,4 +8,5 @@ Enable-Tags-From-Check: binaries, changelog-file, changes-file, conffiles, contr
lintian, manpages, md5sums, menu-format, menus, nmu, ocaml, patch-systems,
po-debconf, rules, scripts, shared-libs, source-copyright, standards-version,
symlinks, version-substvars, watch-file
+Disable-Tags: hardening-no-stackprotector
diff --git a/t/tests/binaries-hardening/desc b/t/tests/binaries-hardening/desc
index ad18843..fd08f5e 100644
--- a/t/tests/binaries-hardening/desc
+++ b/t/tests/binaries-hardening/desc
@@ -3,6 +3,7 @@ Sequence: 6000
Version: 1.0
Description: Check for missing hardening features
Architecture: amd64 i386
+Profile: debian/extra-hardening
Test-For:
hardening-no-relro
hardening-no-stackprotector
diff --git a/t/tests/binaries-hardening/tags b/t/tests/binaries-hardening/tags
index ec90777..61a76aa 100644
--- a/t/tests/binaries-hardening/tags
+++ b/t/tests/binaries-hardening/tags
@@ -1,3 +1,3 @@
+I: binaries-hardening: hardening-no-stackprotector usr/bin/weak
W: binaries-hardening: hardening-no-fortify-functions usr/bin/weak
W: binaries-hardening: hardening-no-relro usr/bin/weak
-W: binaries-hardening: hardening-no-stackprotector usr/bin/weak
--
Debian package checker
Reply to: