[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#880527: RFS: fractalnow/0.8.2-1 [ITA]

On Thu, Nov 02, 2017 at 06:35:47PM +0100, Innocent De Marchi wrote:
> Hi Adam, 
> 
> Adding the qt5-default package in build-depends ... works. But this
> does not like lintian ...
> Now follow the lintian complaints (hardening-no-fortify-functions) but
> the hardening flags are in the compilation (Well, for the lintian of
> debian.mentors.net everything is correct).
> I have uploaded the new compilation to debian.mentors.net.

The big one is: build-depends-on-metapackage build-depends: qt5-default.
The wording is clear enough: you'd need to depend on qtbase5-dev instead.
I don't fully understand why the severity of this warning is set so high,
but then, I'm not a QT packager.


As for hardening flags:
There are two link commands that produce something named "fractalnow":
one for a command-line tool, the link command is non-verbose:
  LD     bin/fractalnow
The other is:
g++ -Wl,-O1 -o bin/qfractalnow objs/color_button.o objs/command_line.o
 objs/export_fractal_image_dialog.o objs/fractal_explorer.o
 objs/fractal_config_widget.o objs/fractal_rendering_widget.o
 objs/gradient_box.o objs/gradient_dialog.o objs/gradient_editor.o
 objs/gradient_label.o objs/help.o objs/hoverpoints.o objs/main_window.o
 objs/main.o objs/mpfr_spin_box.o objs/shade_widget.o
 objs/task_progress_dialog.o objs/qrc_qfractalnow.o objs/moc_color_button.o
 objs/moc_export_fractal_image_dialog.o objs/moc_fractal_config_widget.o
 objs/moc_fractal_explorer.o objs/moc_fractal_rendering_widget.o
 objs/moc_gradient_box.o objs/moc_gradient_dialog.o
 objs/moc_gradient_editor.o objs/moc_hoverpoints.o objs/moc_main_window.o
 objs/moc_mpfr_spin_box.o objs/moc_shade_widget.o   -L../lib/bin -lfractalnow
 -lmpc -lmpfr -lgmp -lm -lQt5Widgets -lQt5Gui -lQt5Concurrent -lQt5Core -lGL
 -lpthread
which indeed has no relro/bindnow.

Likewise, looking at a random object:
g++ -c -pipe -O2 -D_REENTRANT -Wall -W -fPIC -D__STDC_LIMIT_MACROS
 -D__STDC_FORMAT_MACROS -D_POSIX_C_SOURCE =200809L -D_ENABLE_MP_FLOATS
 -D_ENABLE_LDOUBLE_FLOATS -DQT_NO_DEBUG -DQT_WIDGETS_LIB -DQT_GUI_LIB
 -DQT_CONC URRENT_LIB -DQT_CORE_LIB -I.  -I.  -Iinclude -I../lib/include
 -isystem /usr/include/x86_64-linux-gnu/qt5 -isystem
 /usr/include/x86_64-linux-gnu/qt5/QtWidgets -isystem
 /usr/include/x86_64-linux-gnu/qt5/QtGui -isystem
 /usr/include/x86_64-linux-gnu/qt5/QtConcurrent -isystem
 /usr/include/x86_64-linux-gnu/qt5/QtCore -Imocs -isystem
 /usr/include/libdrm -I/usr/lib/x86_64-linux-gnu/qt5/mkspecs/linux-g++ -o
 objs/qrc_qfractalnow.o rcc/q rc_qfractalnow.cpp
which has no -D_FORTIFY_SOURCE=2 nor -Werror=format-security.

For a program that takes no untrusted input, though, hardening is only a
wishlist concern.  It would be nice to have it but it's not a show-stopper.
Not passing hardening flags, though, mean the build fails to pass any other
flag dpkg-buildflags might add in the future.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀ Laws we want back: Poland, Dz.U. 1921 nr.30 poz.177 (also Dz.U. 
⣾⠁⢰⠒⠀⣿⡁ 1920 nr.11 poz.61): Art.2: An official, guilty of accepting a gift
⢿⡄⠘⠷⠚⠋⠀ or another material benefit, or a promise thereof, [in matters
⠈⠳⣄⠀⠀⠀⠀ relevant to duties], shall be punished by death by shooting.
Reply to: