Re: Bug#657853: Building perl with hardened build flags

To: joeyh@debian.org, debian-perl@lists.debian.org, 657853@bugs.debian.org
Subject: Re: Bug#657853: Building perl with hardened build flags
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 12 Feb 2012 21:24:40 +0100
Message-id: <[🔎] 20120212202440.GA6934@pisco.westfalen.local>
In-reply-to: <[🔎] 20120212125459.GA4487@madeleine.local.invalid>
References: <20120207204812.GI28729@urchin.earth.li> <20120207221358.GK28729@urchin.earth.li> <20120208074622.GA4593@madeleine.local.invalid> <20120209204425.GX28729@urchin.earth.li> <20120210212909.GA28698@madeleine.local.invalid> <[🔎] 20120211135119.GJ28729@urchin.earth.li> <[🔎] 20120212125459.GA4487@madeleine.local.invalid>

[Adding Joey Hess to CC]

On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote:
> [Thanks for taking this to the list; should've done that myself.
>  Just a couple of quick comments for now.]
> 
> On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:
> > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> > > On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:
> 
> > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> > >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> > >    invocations (it currently passes only CFLAGS, starting with compat
> > >    level 9)

I would prefer this strategy.

Joey, are you comfortable with changing this for debhelper compat 9,
although it has been finalised already?

> > > B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
> > >    CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
> > >    sets these with compat level 9)
> > 
> > You haven't made it explicit, but I assume that the opt-out strategy
> > here is to unset those environment flags in debian/rules (there is
> > no specific way to opt-out with debhelper incantations that I can see).
> 
> debhelper v9 sets CFLAGS and the rest based on dpkg-buildflags, so
> DEB_BUILD_MAINT_OPTIONS would be the way to opt out of specific hardening
> flags when necessary.

Agreed. DEB_BUILD_MAINT_OPTIONS="hardening=-format" would be an exemplary
way to disable format string checks.

> > > Options A and B both require compat level changes to the all the XS
> > > module packages. On the positive side, that also brings in the support
> > > for DEB_BUILD_OPTIONS=noopt.
> > 
> > The compat changes are only required to get the benefit of hardening
> > flags in those modules, which isn't strictly speaking necessary within
> > the wheezy timeframe, AIUI. (In other words, we can satisfy the request
> > to build perl itself with hardening flags without touching any other
> > packages, if we implement A or B.)
> 
> That's a good point about the timeframe. So there's no real hurry with
> the proposed debhelper changes in option A, they can be done after wheezy.

Yep. The release goal for Wheezy is "fix as many as possible, but make
a concentrated effort for all packages of priority >= important and 
which had a DSA since 2006. perl itself matches both conditions :-)
 
Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Bug#657853: Building perl with hardened build flags
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#657853: Building perl with hardened build flags
  - From: Niko Tyni <ntyni@debian.org>
- Re: Bug#657853: Building perl with hardened build flags
  - From: Dominic Hargreaves <dom@earth.li>

References:
- Re: Bug#657853: Building perl with hardened build flags
  - From: Dominic Hargreaves <dom@earth.li>
- Re: Bug#657853: Building perl with hardened build flags
  - From: Niko Tyni <ntyni@debian.org>

Prev by Date: Re: Bug#657853: Building perl with hardened build flags
Next by Date: Re: Bug#657853: Building perl with hardened build flags
Previous by thread: Re: Bug#657853: Building perl with hardened build flags
Next by thread: Re: Bug#657853: Building perl with hardened build flags
Index(es):
- Date
- Thread