Bug#657853: Building perl with hardened build flags
Dominic Hargreaves
dom at earth.li
Tue Feb 21 22:21:04 UTC 2012
On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote:
> On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:
>
> (cc's trimmed for the implementation details)
>
> > If we have consensus on that, the way forward as I see it:
>
> Dominic, I'm not sure if you're fine with that plan?
Yes. Sorry I've lagged behind on this conversation recently.
> > - prepare a perl upload in unstable that is built with the hardened flags
> > but doesn't export them through Config.pm
>
> Here's my first try at this. It works, but I'm not really happy with it.
> My hack time is fairly limited ATM and I haven't got any further just
> by glaring at it, so it's probably better to share this anyway.
>
> Problems/thoughts:
>
> - we're invoking dpkg-buildflags in two places (debian/rules and
> debian/config.debian), and if the invocations go out of sync we get
> a silent failure.
Wouldn't be too much work to abstract that if needed.
> - not sure if we should blindly remove the dpkg-buildflags output
> from every line in Config_heavy.pm or just the ones we care about
> (i.e. ccflags, ld(dl?)flags)
No particular ideas about this one.
> - should we be defensive against a situation where dpkg-buildflags
> returns something short and generic (like " " or "-g")? If we should,
> the "blindly" part above becomes much less attractive
Mmm.
> - I'd love to delegate the -Doptimize handling to dpkg-buildflags
> instead of doing it manually, but that way we end up stripping the
> default optimize flags from Perl modules in the same way as the
> hardening flags, which is probably not good.
>
> Ideas/patches welcome.
I'm in much the same situation as well; fairly limited hack time at
the moment.
So, not that this probably helps much, but: in order to make some
progress with this, you could commit your patch as-is, and also open
a wishlist bug recording the desired cleanups above.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Perl-maintainers
mailing list