Re: Need help to fix hardening-no-relro and hardening-no-relro

To: Jean-Michel Vourgère <nirgal@debian.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: Need help to fix hardening-no-relro and hardening-no-relro
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 12 Aug 2015 16:11:30 +0800
Message-id: <[🔎] CADrxHD9xgg+EM4D77RvG9kh3zprX5Qn8FtZM3AUckduOuAZX5A@mail.gmail.com>
In-reply-to: <[🔎] 55CA10F6.2090808@debian.org>
References: <[🔎] CALyx4TfhKq-iZFWEdEuNQYUFtEQz90HW8prJM7nZCYX9rVKYFQ@mail.gmail.com> <[🔎] 919433941.2822790.1439297342429.JavaMail.yahoo@mail.yahoo.com> <[🔎] CALyx4Te0R8DvHBBTcj1ZN3JR1UHZ-4j8pXhqJ7M-CHJ2vNVX+g@mail.gmail.com> <[🔎] CADrxHD_sW9Hf1c==-UHsa1ks6iAY5zrFeW7aQeOY3frbd-4d9A@mail.gmail.com> <[🔎] 55CA10F6.2090808@debian.org>

Hi Jean-Michel,

Thanks for reminding me that overriding isn't safe.

Now I use `DEB_BUILD_MAINT_OPTIONS = hardening=-stackprotector' to
remove `-fstack-protector-strong' since it makes the binary 10 times
the size without the flag. The DEB_*_MAINT_* seems like a better way
to manipulate flags since new flags can be added without me doing
anything as you said. Maybe Lintian should add a new warning:
Overrding *FLAGS in debian/rules.

Cheers,
Alex

2015-08-11 23:12 GMT+08:00, Jean-Michel Vourgère <nirgal@debian.org>:
> Alex Vong wrote:
>> Maybe overriding CFLAGS and CPPFLAGS but not LDFLAGS will solve FTBFS.
>>
>> For example in debian/rules,
>>
>> CFLAGS = '-Ofoo'
>> CPPFLAGS = '-Dfoo'
>> LDFLAGS += '-lfoo'
>>
>> override_dh_auto_configure:
>> 	dh_auto_configure -- --enable-foo
>
> This is wrong. You should *not* overwrite default CFLAGS / CPPFLAGS and
> so on. This is precisely what usually results in poor hardening. Just
> imaging what will happen if tomorrow there is a new flag to set?
>
> If you really need to add some stuff, you can use
> DEB_CFLAGS_MAINT_APPEND, and similar. See dpkg-buildflags(1).
>
>
> --
> To UNSUBSCRIBE, email to debian-mentors-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> Archive: [🔎] 55CA10F6.2090808@debian.org">https://lists.debian.org/[🔎] 55CA10F6.2090808@debian.org
>
>

Reply to:

Follow-Ups:
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Alex Vong <alexvong1995@gmail.com>

References:
- Need help to fix hardening-no-relro and hardening-no-relro
  - From: lucas castro <lucascastroborges@gmail.com>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: lucas castro <lucascastroborges@gmail.com>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Alex Vong <alexvong1995@gmail.com>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Jean-Michel Vourgère <nirgal@debian.org>

Prev by Date: Re: Depend on a package from an other arch
Next by Date: Re: Need help to fix hardening-no-relro and hardening-no-relro
Previous by thread: Re: Need help to fix hardening-no-relro and hardening-no-relro
Next by thread: Re: Need help to fix hardening-no-relro and hardening-no-relro
Index(es):
- Date
- Thread