Bug#657853: Building perl with hardened build flags
Niko Tyni
ntyni at debian.org
Mon Mar 5 16:32:41 UTC 2012
On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote:
> Problems/thoughts:
Most of this got addressed with the implementation that landed in
5.14.2-9, so I think we're fine now. Concluding notes:
> - we're invoking dpkg-buildflags in two places (debian/rules and
> debian/config.debian), and if the invocations go out of sync we get
> a silent failure.
Solved adequately enough.
> - not sure if we should blindly remove the dpkg-buildflags output
> from every line in Config_heavy.pm or just the ones we care about
> (i.e. ccflags, ld(dl?)flags)
I think just /^(cc|cpp)flags/ and /^ld(dl)?flags/ is OK.
In particular, I think it's good to keep it in config_args
so we aren't lying about the configuration.
> - should we be defensive against a situation where dpkg-buildflags
> returns something short and generic (like " " or "-g")?
Solved.
> - I'd love to delegate the -Doptimize handling to dpkg-buildflags
> instead of doing it manually, but that way we end up stripping the
> default optimize flags from Perl modules in the same way as the
> hardening flags, which is probably not good.
As long as we support building on systems without dpkg-buildflags,
which I think we should for now, this isn't going to happen.
--
Niko
More information about the Perl-maintainers
mailing list