Re: Bug#669373: RFS: flactag/2.0.1-1 ITP #507876
- To: Bart Martens <bartm@debian.org>
- Cc: Andy Hawkins <andy@gently.org.uk>, debian-mentors@lists.debian.org
- Subject: Re: Bug#669373: RFS: flactag/2.0.1-1 ITP #507876
- From: Daniel Pocock <daniel@pocock.com.au>
- Date: Mon, 21 May 2012 19:26:43 +0000
- Message-id: <[🔎] 4FBA96F3.1080405@pocock.com.au>
- In-reply-to: <4FB94E57.3080807@pocock.com.au>
- References: <[🔎] slrnjrfhoe.tgv.andy@atom.gently.org.uk> <20120519163009.GA20344@master.debian.org> <20120519165256.GA32175@gently.org.uk> <4FB7D397.2020405@pocock.com.au> <20120519181536.GA23422@master.debian.org> <20120520105816.GA17137@gently.org.uk> <20120520110837.GA30290@master.debian.org> <20120520183346.GA1178@gently.org.uk> <20120520185333.GB26739@master.debian.org> <20120520185659.GA2321@gently.org.uk> <20120520191446.GA13760@master.debian.org> <4FB94E57.3080807@pocock.com.au>
> lintian gives none of the new errors, but I still see them on mentors:
>
> http://mentors.debian.net/package/resiprocate
this was discussed on debian-mentors today - some lintian warnings are
not 100% reliable
> Bart, can you give us any other tips about these errors? Have I done
> the right thing with the debian/rules file for resiprocate? Does it
> matter where the binary package is built for these *FLAGS to be
> effective, e.g. if I build my binary package on a machine running
> squeeze, then the hardening stuff won't be in the code and
> mentors/lintian will complain?
I've done builds of all my packages on squeeze and after tweaking the
hardening stuff some more, I found that most of the warnings go away, so
building on squeeze seems to be a requirement now
setting *FLAGS directly didn't work reliably, I found this method most
reliable with both cmake and autotools projects:
DEB_BUILD_MAINT_OPTIONS = hardening=+all
DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/buildflags.mk
The new libmusicbrainz5 and flactag packages are up now:
http://mentors.debian.net/package/libmusicbrainz
http://mentors.debian.net/package/flactag
I notice lintian still gives a stack-protector warning for one of the
binaries, discid, even though both binaries are compiled and linked with
the correct flags - they are both built the same way using autotools
/bin/bash ./libtool --tag=CXX --mode=link g++ -g -O2 -fPIE
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now -o discid
discid.o DiscIDWrapper.o Cuesheet.o CuesheetTrack.o -ldiscid -ljpeg
libtool: link: g++ -g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -fPIE -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o
discid discid.o DiscIDWrapper.o Cuesheet.o CuesheetTrack.o -ldiscid -ljpeg
$ hardening-check flactag
flactag:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
$ hardening-check discid
discid:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Reply to: