❦ 19 août 2013 11:46 CEST, Tom Lee <debian@tomlee.co> :
Try with "hardening-check" then:
>> The easiest way is to use Lintian (I use it with -viI).
>>
>>
> Odd, I don't see any warnings:
>
> tom@desktop:~/Source$ lintian -viI capnproto_0.2.0-1.dsc
> N: Using profile debian/main.
> N: Setting up lab in /tmp/temp-lintian-lab-q9W0nEVK6F ...
> N: Unpacking packages in group capnproto/0.2.0-1
> N: ----
> N: Processing source package capnproto (version 0.2.0-1, arch source) ...
>
> I also see what looks like hardening-related CXXFLAGS during the build.
> Stuff like this:
>
> -D_FORTIFY_SOURCE=2 -I./src -I./src -g -O2 -fPIE -fstack-protector
> --param=ssp-buffer-size=4 -Wformat -Werror=format-security
>
> The warning appears on mentors.debian.net:
> http://mentors.debian.net/package/capnproto
>
> Maybe related to this bug:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673112#10
>
> Based on this bug & assuming you can see the _FORTIFY_SOURCE etc. during
> your build I'd be inclined to add another override for this -- what do you
> think?
>
> Weird I can't reproduce it locally.
/usr/bin/capnp:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: yes
The unprotected functions are getcwd() and memcpy().
In the bug you pointed, it seems that memcpy() can be left unprotected
when it is used in replacement of strcpy(). Maybe there is no other
issue with getcwd(). Since there is no use of other commonly protected
functions like *printf(), this should be a false positive. Therefore,
yes, add a lintian override.
Oh, OK. Just ignore this warning. dh_pysupport is just called because
>> Well, you shouldn't get this warning. Maybe it was here because you were
>> build-depending on python-support?
>>
>
> Doesn't seem that way. From the control file:
>
> Build-Depends: debhelper (>= 8.0.0), gcc (>= 4.7),
> python-all (>= 2.6), dpkg-dev (>= 1.16.1.1), docbook-xsl, docbook-xml,
> xsltproc, autotools-dev
>
> Removed --with python2 from debian/rules and I see this near the end of the
> build:
>
> ...
> dh_install
> dh_installdocs
> dh_installchangelogs
> dh_installman
> dh_pysupport
> dh_pysupport: This program is deprecated, you should use dh_python2
> instead. Migration guide: http://deb.li/dhs2p
you are using compat 8 and it is installed.
--
Make your program read from top to bottom.
- The Elements of Programming Style (Kernighan & Plauger)