Bug#1119372: marked as done (cdecl: please build using the default build flags)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 04 Dec 2025 13:33:54 +0000
with message-id <E1vR9T0-00CldS-35@fasolo.debian.org>
and subject line Bug#1119372: fixed in cdecl 2.5-17
has caused the Debian Bug report #1119372,
regarding cdecl: please build using the default build flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1119372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119372
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: maintonly@bugs.debian.org
• Subject: cdecl: please build using the default build flags
• From: Emanuele Rocca <ema@debian.org>
• Date: Wed, 29 Oct 2025 17:47:50 +0100
• Message-id: <aQJFNniIcVLxkuYs@ariel.home>

Source: cdecl
Version: 2.5-16
User: debian-security@lists.debian.org
Usertags: hardening-buildflags

cdecl is not currently using the default build flags set by dpkg-buildflags(1).
The default flags are chosen for multiple reasons including security,
performance, reproducibility, adherence to standards, and error handling.

Please make sure that cdecl builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.

In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
cdecl, the flags are either ignored or overridden.

The most common reasons for this are:

Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles

Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.

In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":

 set(CMAKE_CXX_FLAGS "-O2")

If the intention is to append to CXXFLAGS, one should use the following
instead:

 set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")

See #655870 for a similar autotools example. 

Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags

Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).

Others attempt to append to the variables, but end up accidentally
overriding the defaults:

 #!/usr/bin/make -f
 export CFLAGS += -pipe -fPIC -Wall

 %:
 	dh $@

Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).

For a detailed analysis of this issue, see:
https://people.debian.org/~ema/nocflags_paper.pdf (eprint: hal-05334704)

--- End Message ---

--- Begin Message ---

• To: 1119372-close@bugs.debian.org
• Subject: Bug#1119372: fixed in cdecl 2.5-17
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Thu, 04 Dec 2025 13:33:54 +0000
• Message-id: <E1vR9T0-00CldS-35@fasolo.debian.org>
• Reply-to: Andreas Tille <tille@debian.org>

Source: cdecl
Source-Version: 2.5-17
Done: Andreas Tille <tille@debian.org>

We believe that the bug you reported is fixed in the latest version of
cdecl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1119372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated cdecl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 04 Dec 2025 14:12:03 +0100
Source: cdecl
Architecture: source
Version: 2.5-17
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1119372
Changes:
 cdecl (2.5-17) unstable; urgency=medium
 .
   * QA upload.
   * Add Homepage
   * Maintain in Debian team on Salsa
   * d/copyright: DEP5
   * Standards-Version: 4.7.2 (routine-update)
   * debhelper-compat 13 (routine-update)
   * Remove trailing whitespace in debian/changelog (routine-update)
   * Trim trailing whitespace.
   * Use set -e rather than passing -e on the shebang-line.
   * Fix day-of-week for changelog entry 2.5-14.
   * d/substvars: removed
   * d/source/include-binaries: removed
   * Enable building using the default build flags
     Closes: #1119372
   * Hardening (which requires std=gnu17 due to old function definition)
   * Add watch file pointing to latest commit
Checksums-Sha1:
 6ebe982679de22bcaac5d6d24c0fde385960e9f8 1850 cdecl_2.5-17.dsc
 896fdde0845d0654a8cdb0aa68029483ebb78ef9 5640 cdecl_2.5-17.debian.tar.xz
 e888815cf162a458fa6e5e7921d28b5fe8543e70 5937 cdecl_2.5-17_amd64.buildinfo
Checksums-Sha256:
 1807a9eda96f601905a181b160c59aa3b7fa1d68af8e1ec39ba4fc68fc0cde53 1850 cdecl_2.5-17.dsc
 d5a9e3a33dab275d98c255d19ed973b5ae2dcddc47367f04689c9233a77cc5a4 5640 cdecl_2.5-17.debian.tar.xz
 29281a13de1190ff47c605877d87589d7f1f74e2564513e7d064e643daf0e8de 5937 cdecl_2.5-17_amd64.buildinfo
Files:
 3536e507911255beae2dbe46dea577a6 1850 devel optional cdecl_2.5-17.dsc
 ee8710cedda68b21ea1681fc66fab255 5640 devel optional cdecl_2.5-17.debian.tar.xz
 c45f77a9fbf1ecb251974445222dc454 5937 devel optional cdecl_2.5-17_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmkxiRERHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtEeZw//bWNoBP2Pdo53rriCS5i61EeKKlt1VJtO
lx3Zpmye7KD0hVRmIH2aQkBqHYWKuLXgmig1rZFaTfoTMcKGU4tq2EFQBZIsVOo7
RsyG4GKXr1aHC1iT+Su8TG/LA5n+ZnTHNX9uwmJKhlGqD6WzjNkPnOCg+j6j3sVp
QUS6ixnsnDKBJ8ZcX8iz6Noqbd/N/mSQSLTcRMcEFTNvo1nPWp2aBr3WJh5/9wJV
bYYJWMRSuRRqa8ps4Qv6kmvTwpDQfOkneyCN2hTMghd6yp10t6PyMgkPkboPx223
+zDRBjkMoOlGYkKcQfa4+qbhq9mvvmbt5pZNdnbiDDDVbnKgOQaETrWfCqeDhYun
hvEhS5c475orbnoHvARQoBuCJQdu8A5eXBAT9Qo9StSYqlFcOiuMTLZ1/MtKKV1H
tetx9+ldeDYj2NAEXF9ZSfmd25Werxo/nm6U3Nh5SblJYQseXL43Y0LO/RAbmVqa
1eviu69x/pjp+GPoX0xu6zs78A/CYAgbtw4+bO0didAtG4iVfokase9kyGwpup4I
KaNIbatUIMZf9vlr35KGmlp4sQUi+AUgv9+93GhLZVM7wbWBlkp09fCbCDEBC8KV
+k/lBs8uVmOmcSOlU/VLDMDKTkP2QYin8ACSG+HxtDTbKLH8AH8i5ePpRR6sqYTy
2FMkAyad2zQ=
=cr/u
-----END PGP SIGNATURE-----

Attachment: pgpTbHgTp4cdJ.pgp
Description: PGP signature

--- End Message ---