[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#720063: RFS: capnproto/0.2.0-1 [ITP] -- Tool for working with the Cap'n Proto data interchange format

Alright, latest build of this package is up on mentors.debian.net:

http://mentors.debian.net/package/capnproto

Noticed that my watch file has detected a new point release Kenton put out earlier today to work around that GCC compiler bug.

Should I upgrade to the new release now? Or is it okay to follow up with a 0.2.1-1 build once 0.2.0-1 lands in unstable?

Cheers,
Tom


On Mon, Aug 19, 2013 at 3:12 AM, Vincent Bernat <bernat@debian.org> wrote:
 ❦ 19 août 2013 11:46 CEST, Tom Lee <debian@tomlee.co> :

>> The easiest way is to use Lintian (I use it with -viI).
>>
>>
> Odd, I don't see any warnings:
>
> tom@desktop:~/Source$ lintian -viI capnproto_0.2.0-1.dsc
> N: Using profile debian/main.
> N: Setting up lab in /tmp/temp-lintian-lab-q9W0nEVK6F ...
> N: Unpacking packages in group capnproto/0.2.0-1
> N: ----
> N: Processing source package capnproto (version 0.2.0-1, arch source) ...
>
> I also see what looks like hardening-related CXXFLAGS during the build.
> Stuff like this:
>
> -D_FORTIFY_SOURCE=2 -I./src -I./src  -g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>
> The warning appears on mentors.debian.net:
> http://mentors.debian.net/package/capnproto
>
> Maybe related to this bug:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673112#10
>
> Based on this bug & assuming you can see the _FORTIFY_SOURCE etc. during
> your build I'd be inclined to add another override for this -- what do you
> think?
>
> Weird I can't reproduce it locally.

Try with "hardening-check" then:
/usr/bin/capnp:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: yes

The unprotected functions are getcwd() and memcpy().

In the bug you pointed, it seems that memcpy() can be left unprotected
when it is used in replacement of strcpy(). Maybe there is no other
issue with getcwd(). Since there is no use of other commonly protected
functions like *printf(), this should be a false positive. Therefore,
yes, add a lintian override.

>> Well, you shouldn't get this warning. Maybe it was here because you were
>> build-depending on python-support?
>>
>
> Doesn't seem that way. From the control file:
>
> Build-Depends: debhelper (>= 8.0.0), gcc (>= 4.7),
>  python-all (>= 2.6), dpkg-dev (>= 1.16.1.1), docbook-xsl, docbook-xml,
>  xsltproc, autotools-dev
>
> Removed --with python2 from debian/rules and I see this near the end of the
> build:
>
> ...
>    dh_install
>    dh_installdocs
>    dh_installchangelogs
>    dh_installman
>    dh_pysupport
> dh_pysupport: This program is deprecated, you should use dh_python2
> instead. Migration guide: http://deb.li/dhs2p

Oh, OK. Just ignore this warning. dh_pysupport is just called because
you are using compat 8 and it is installed.
--
Make your program read from top to bottom.
            - The Elements of Programming Style (Kernighan & Plauger)



--
Tom Lee http://tomlee.co / @tglee

Reply to: