Re: Need help to fix hardening-no-relro and hardening-no-relro

To: Jean-Michel Vourgère <nirgal@debian.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: Need help to fix hardening-no-relro and hardening-no-relro
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 12 Aug 2015 17:01:11 +0800
Message-id: <[🔎] CADrxHD-sB9_0CG=TtYKPKZAgkykhzQ4wePJXUEO51VJ2fSWZ8g@mail.gmail.com>
In-reply-to: <[🔎] CADrxHD9xgg+EM4D77RvG9kh3zprX5Qn8FtZM3AUckduOuAZX5A@mail.gmail.com>
References: <[🔎] CALyx4TfhKq-iZFWEdEuNQYUFtEQz90HW8prJM7nZCYX9rVKYFQ@mail.gmail.com> <[🔎] 919433941.2822790.1439297342429.JavaMail.yahoo@mail.yahoo.com> <[🔎] CALyx4Te0R8DvHBBTcj1ZN3JR1UHZ-4j8pXhqJ7M-CHJ2vNVX+g@mail.gmail.com> <[🔎] CADrxHD_sW9Hf1c==-UHsa1ks6iAY5zrFeW7aQeOY3frbd-4d9A@mail.gmail.com> <[🔎] 55CA10F6.2090808@debian.org> <[🔎] CADrxHD9xgg+EM4D77RvG9kh3zprX5Qn8FtZM3AUckduOuAZX5A@mail.gmail.com>

PS: Just find out it is the debugging symbol taking all that space, so
I re-enable the stackprotector.

2015-08-12 16:11 GMT+08:00, Alex Vong <alexvong1995@gmail.com>:
> Hi Jean-Michel,
>
> Thanks for reminding me that overriding isn't safe.
>
> Now I use `DEB_BUILD_MAINT_OPTIONS = hardening=-stackprotector' to
> remove `-fstack-protector-strong' since it makes the binary 10 times
> the size without the flag. The DEB_*_MAINT_* seems like a better way
> to manipulate flags since new flags can be added without me doing
> anything as you said. Maybe Lintian should add a new warning:
> Overrding *FLAGS in debian/rules.
>
> Cheers,
> Alex
>
> 2015-08-11 23:12 GMT+08:00, Jean-Michel Vourgère <nirgal@debian.org>:
>> Alex Vong wrote:
>>> Maybe overriding CFLAGS and CPPFLAGS but not LDFLAGS will solve FTBFS.
>>>
>>> For example in debian/rules,
>>>
>>> CFLAGS = '-Ofoo'
>>> CPPFLAGS = '-Dfoo'
>>> LDFLAGS += '-lfoo'
>>>
>>> override_dh_auto_configure:
>>> 	dh_auto_configure -- --enable-foo
>>
>> This is wrong. You should *not* overwrite default CFLAGS / CPPFLAGS and
>> so on. This is precisely what usually results in poor hardening. Just
>> imaging what will happen if tomorrow there is a new flag to set?
>>
>> If you really need to add some stuff, you can use
>> DEB_CFLAGS_MAINT_APPEND, and similar. See dpkg-buildflags(1).
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-mentors-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive: [🔎] 55CA10F6.2090808@debian.org">https://lists.debian.org/[🔎] 55CA10F6.2090808@debian.org
>>
>>
>

Reply to:

References:
- Need help to fix hardening-no-relro and hardening-no-relro
  - From: lucas castro <lucascastroborges@gmail.com>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: lucas castro <lucascastroborges@gmail.com>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Alex Vong <alexvong1995@gmail.com>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Jean-Michel Vourgère <nirgal@debian.org>
- Re: Need help to fix hardening-no-relro and hardening-no-relro
  - From: Alex Vong <alexvong1995@gmail.com>

Prev by Date: Re: Need help to fix hardening-no-relro and hardening-no-relro
Next by Date: Introduce wrapper package of linuxbrew into Debian
Previous by thread: Re: Need help to fix hardening-no-relro and hardening-no-relro
Next by thread: Looking for a mentor for the OpenSIPS project
Index(es):
- Date
- Thread