Bug#657853: Building perl with hardened build flags

Dominic Hargreaves dom at earth.li
Tue Feb 21 22:21:04 UTC 2012 

On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote:
> On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:
> 
> (cc's trimmed for the implementation details) 
> 
> > If we have consensus on that, the way forward as I see it:
> 
> Dominic, I'm not sure if you're fine with that plan?

Yes. Sorry I've lagged behind on this conversation recently.

> > - prepare a perl upload in unstable that is built with the hardened flags
> >   but doesn't export them through Config.pm
> 
> Here's my first try at this. It works, but I'm not really happy with it.
> My hack time is fairly limited ATM and I haven't got any further just
> by glaring at it, so it's probably better to share this anyway.
> 
> Problems/thoughts:
> 
> - we're invoking dpkg-buildflags in two places (debian/rules and
>   debian/config.debian), and if the invocations go out of sync we get
>   a silent failure.

Wouldn't be too much work to abstract that if needed.

> - not sure if we should blindly remove the dpkg-buildflags output
>   from every line in Config_heavy.pm or just the ones we care about
>   (i.e. ccflags, ld(dl?)flags)

No particular ideas about this one.

> - should we be defensive against a situation where dpkg-buildflags
>   returns something short and generic (like " " or "-g")? If we should,
>   the "blindly" part above becomes much less attractive

Mmm.

> - I'd love to delegate the -Doptimize handling to dpkg-buildflags
>   instead of doing it manually, but that way we end up stripping the
>   default optimize flags from Perl modules in the same way as the
>   hardening flags, which is probably not good.
> 
> Ideas/patches welcome.

I'm in much the same situation as well; fairly limited hack time at
the moment. 

So, not that this probably helps much, but: in order to make some
progress with this, you could commit your patch as-is, and also open
a wishlist bug recording the desired cleanups above.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

More information about the Perl-maintainers mailing list