Bug#657853: Building perl with hardened build flags

Niko Tyni ntyni at debian.org
Sun Feb 12 12:54:59 UTC 2012 

[Thanks for taking this to the list; should've done that myself.
 Just a couple of quick comments for now.]

On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:
> On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote:
> > On Thu, Feb 09, 2012 at 08:44:25PM +0000, Dominic Hargreaves wrote:

> > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to
> >    ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line
> >    invocations (it currently passes only CFLAGS, starting with compat
> >    level 9)
> > 
> > B. make ExtUtils::MakeMaker and ExtUtils::CBuilder honour all of
> >    CFLAGS, CPPFLAGS, and LDFLAGS from the environment (debhelper
> >    sets these with compat level 9)
> 
> You haven't made it explicit, but I assume that the opt-out strategy
> here is to unset those environment flags in debian/rules (there is
> no specific way to opt-out with debhelper incantations that I can see).

debhelper v9 sets CFLAGS and the rest based on dpkg-buildflags, so
DEB_BUILD_MAINT_OPTIONS would be the way to opt out of specific hardening
flags when necessary.

> > C. force the flags that Perl was compiled with to the XS modules via
> >    $Config{ccflags} and friends

> Yes, I hadn't considered impact on non-packaged XS modules; it's probably
> less acceptable for them to have to opt-out. A shame, since it's the
> best way of ensuring that the buggy packages do get fixed, and in many
> ways my preferred option.

Yes, it certainly has upsides. I'm not totally ruling it out, but
it doesn't feel "right" to me.

> > Options A and B both require compat level changes to the all the XS
> > module packages. On the positive side, that also brings in the support
> > for DEB_BUILD_OPTIONS=noopt.
> 
> The compat changes are only required to get the benefit of hardening
> flags in those modules, which isn't strictly speaking necessary within
> the wheezy timeframe, AIUI. (In other words, we can satisfy the request
> to build perl itself with hardening flags without touching any other
> packages, if we implement A or B.)

That's a good point about the timeframe. So there's no real hurry with
the proposed debhelper changes in option A, they can be done after wheezy.

> > Options A and B also require some fiddling inside the perl package to
> > prevent the hardening flags from going into $Config{ccflags} and friends
> > even if we build perl itself with them. I don't except this to be
> > a big problem.
> 
> Although it may well be straying in a direction that upstream doesn't
> like.

I was thinking of a running sed on Config_heavy.pl after the build to take
the dpkg-buildflags induced options out. I think that's in our domain.
If there's a cleaner way to apply those flags to the Perl build without
imposing them on XS modules, I'd certainly be happy to adopt that.
-- 
Niko Tyni   ntyni at debian.org

More information about the Perl-maintainers mailing list