Re: sponsor upload aghermann-0.7.0-1 please

To: debian-med@lists.debian.org
Subject: Re: sponsor upload aghermann-0.7.0-1 please
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Mon, 2 Jul 2012 10:06:44 -0400
Message-id: <[🔎] 20120702140644.GM5786@onerussian.com>
In-reply-to: <[🔎] 20120701221643.4e3901ec@ra>
References: <20120519015233.6722ce01@ra> <20120520010925.GE11168@onerussian.com> <7873.1338677512@ra> <20120603034229.GB15777@onerussian.com> <fc44838a-1979-4989-885e-b6f45f46a6ce@email.android.com> <20120603135205.GE15777@onerussian.com> <20120604032650.44b332c7@ra> <20120604013028.GG15777@onerussian.com> <[🔎] 20120701221643.4e3901ec@ra>

Hi Andrei,

Since wheezy is frozen now, all fresh uploads with substantial changes
(e.g. new upstream release) should target 'experimental' instead of
'unstable' in debian/changelog.  I will upload backports to NeuroDebian
anyways ;-)

now hardening, which I am not much of an expert unfortunately:


> Recently lintian has grown clever enough to require -D_FORTIFY_SOURCE

;-) mention that those are just warnings, so theoretically could be
ignored (unless it is a daemon app etc), but it is indeed great to have
them addressed

> and other nifty things as described here: http://wiki.debian.org/Hardening.
> I now duly added the recommended flags to CXXFLAGS, which is not representing
> an issue to write about per se except for the fact that I had to omit -fPIE
> and -pie.  With these latter two, my private libsigfile.so fails to build.

interesting... as far as I see it  *pie* hardening  is even more
optional and surprised that the dyn library doesn't  build for you with
fPIC?

> However, adding the following to my debian/rules happens to be enough to
> silence lintian:

;-) per se you don't need to "silence" it (yet) for these

>  export DEB_BUILD_HARDENING=1

>  CXXFLAGS=$(shell dpkg-buildflags --get CFLAGS)
>  LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
>  # CXXFLAGS+=$(HARDENING_CFLAGS)
>  # LDFLAGS+=$(HARDENING_LDFLAGS)
>  ## hardening-wrapper doesn't seem to be available
>  ## on all target arches yet, so try adding these flags manually
>  export CXXFLAGS += -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -fstack-protector --param ssp-buffer-size=4
>  export LDFLAGS += -z relro -z now

well -- if you just care to "silence lintian", i.e. to introduce
hardening only where supported, you could do smth like what I have done
for freeipmi:

override_dh_auto_configure:
    dh_auto_configure -- $(shell dpkg-buildflags --export=configure | grep CFLAGS )

so, where dpkg-buildflags  provides those hardening flags -- they would
be used.  and would build just fine otherwise

> Here's the link to .DSC file:
> http://johnhommer.com/academic/code/aghermann/source/deb/aghermann_0.7.0-1.dsc.
> Hope all will build well.

does it for you? ;-) so tune up release to experimental and may be give it a
2nd thought on how to treat hardening args and reupload .dsc 

Cheers!
-- 
Yaroslav O. Halchenko
Postdoctoral Fellow,   Department of Psychological and Brain Sciences
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik

Reply to:

Follow-Ups:
- Re: sponsor upload aghermann-0.7.0.1-1 please
  - From: andrei zavada <jh@johnhommer.com>

References:
- Re: sponsor upload aghermann-0.7.0-1 please
  - From: andrei zavada <jh@johnhommer.com>

Prev by Date: Re: Any progress with FIS GT.M?
Next by Date: Re: Any progress with FIS GT.M?
Previous by thread: Re: sponsor upload aghermann-0.7.0-1 please
Next by thread: Re: sponsor upload aghermann-0.7.0.1-1 please
Index(es):
- Date
- Thread