[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#905455: RFS: dmidecode/3.1-2

On Sun, Aug 05, 2018 at 03:54:23PM -0300, Herbert Fortes wrote:
> > > > > Sorry, but can you please add to debian/rules:
> > > > > 
> > > > > export DEB_LDFLAGS_MAINT_APPEND = -fPIE -pie
> > > > > export DEB_CFLAGS_MAINT_APPEND = -fPIE
> > > > Why?
> > > Becauso of 'blhc --all'
> > I'm sorry but that's not a valid reason.
> Can you tell me why not?
First of all, you should never do some change because some static analyzer
told you. You need to understand what did it tell you, why, and why it
thinks you should do that change.
blhc just analyzes build logs to make sure all expected flags are passed.
"--all   Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected."
So if you use --all you either know that the package should pass the flags
for both pie and bindnow or must ignore the respective blhc warnings.
dpkg-buildflags(1) says that the pie hardening option has no effect on 
most architectures, as it's enabled in gcc, so no flags are passed.
In such situations you need to check the result, in this case check 
whether the binary has PIE enabled, not just blindly follow an 
incorrectly used static analyzer (and even then you need to find out the 
problem and not just pass some compiler/linker flags).

> What I know is just 'blhc' is enough. But why not
> use '--all'?
> I do not know much about that and I can learn new
> if you say a bit more.


Attachment: signature.asc
Description: PGP signature

Reply to: