[Build-common-hackers] Bug#651964: Bug#651964: Bug#651964: cdbs: class/langcore.mk doesn't set CPPFLAGS and LDFLAGS from dpkg-buildflags

Wed Feb 1 00:05:39 UTC 2012

On 12-01-31 at 09:48pm, Moritz Muehlenhoff wrote:
> On Wed, Dec 14, 2011 at 01:16:40AM +0700, Jonas Smedegaard wrote:
> > tags 651964 wontfix
> > thanks
> > 
> > On 11-12-13 at 05:34pm, Simon Ruderich wrote:
> > > While trying to build poppler with hardening flags I noticed that 
> > > CPPFLAGS and LDFLAGS were not set correctly. This is an important 
> > > problem as it causes several hardening flags (fortify source, 
> > > relro) to not get included in the build.
> > > 
> > > Adding the following lines to class/langcore.mk.in in line 57 
> > > where CFLAGS and CXXFLAGS are already set fixes the problem:
> > > 
> > >     CPPFLAGS += $(deb_cppflags)
> > >     LDFLAGS += $(deb_ldflags)
> > 
> > 
> > Thanks for your bugreport.
> > 
> > I agree with you that some flags were set properly in the past.  
> > Unfortunately some packages depend on the old broken behaviour, so 
> > it can not be corrected now.
> 
> Hi Jonas,
> I'm currently working my way through all packages, which have had a 
> DSA in the last five years and/or which are of Priority >= important.
> I've nearly finished all packages based on debhelper and I now proceed 
> with the packages based on cdbs.
> 
> Please reconsider the wontfix: Out of the three *FLAGS emitted by 
> dpkg-buildflags, CFLAGS is the only option, which causes build 
> problems (almost exclusively due to missing format strings exposed by 
> "-Wformat -Wformat-security -Werror=format-security")
> 
> The two additional flags are harmless and won't cause any further 
> build failures:
> 
> CPPFLAGS=-D_FORTIFY_SOURCE=2 activates replaces insecure C library
> calls at build time, see here for details:
> http://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_FORTIFY_.28gcc.2BAC8-g.2B-.2B-_-D_FORTIFY_SOURCE.3D2.29
> 
> LDFLAGS=-Wl,-z,relro activates a linker flag, see here for details:
> http://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_RELRO_.28ld_-z_relro.29
> 
> I've run test conversion for 200-250 packages and D_FORTIFY_SRC and
> relro didn't cause any problems (plus most distros have patched their
> toolchain, which enabes this by default).
> 
> So, please activate these flags as suggested by Simon, otherwise this 
> causes a lot of additional manual overhead. (Plus, your workaround 
> doesn't work, see below).

[embarassing bug snipped]

Thanks for the investigations.  I am convinced!

I'll simplify CDBS to always use new behaviour, and hope it causes no 
breakage.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/build-common-hackers/attachments/20120201/3475599a/attachment.pgp>