Bug#657853: Building perl with hardened build flags
Dominic Hargreaves
dom at earth.li
Thu Feb 9 20:44:25 UTC 2012
On Wed, Feb 08, 2012 at 09:46:22AM +0200, Niko Tyni wrote:
> On Tue, Feb 07, 2012 at 10:13:58PM +0000, Dominic Hargreaves wrote:
> > On Tue, Feb 07, 2012 at 08:48:12PM +0000, Dominic Hargreaves wrote:
> > > I've just kicked off a test rebuild of all CPAN
> > > modules in Debian with the perl from experimental, to try and catch any
> > > severe breakage introduced by this.
> >
> > Early indications from my rebuilds indicate that we will have some
> > new FTBFS bugs with
> >
> > -Wformat-security -Werror=format-security
>
> I suspect we need to patch ExtUtils::CBuilder to invoke dpkg-buildflags
> at XS module build time rather than blindly use $Config{ccflags} from
> perl. That way XS module packages can disable some hardening flags if
> necessary.
Hrm, I guess. Or add a more generic function to allow the stripping out
of build flags (NOCCFLAGS?)? Presumably we'd need to fix
ExtUtils::MakeMaker too.
It would be nice to fix all the packages first, but it's probably not
a sensible approach.
The summary of my test run is:
- 13 packages newly FTBFS with the perl from experimental installed
- of those, 12 are -Werror=format-security issues
- 1 (libsystem-command-perl) is a test failure I haven't diagnosed,
which is also found at [1] and [2] (at least) where hardening flags
aren't to be found.
The test build logs are up at
<http://people.debian.org/~dom/perl/test/hardening-logs/>
[1] <http://www.cpantesters.org/cpan/report/8df074dc-5142-11e1-a48f-e7fb434ae6f1>
[2] <http://www.cpantesters.org/cpan/report/29dae392-4058-11e1-9d6f-f6dbfa7543f5>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list