[Pkg-octave-devel] [RFU] octave-pkg-dev 1.3.3

Sébastien Villemot sebastien at debian.org
Mon Feb 1 17:20:11 UTC 2016 

Le lundi 01 février 2016 à 14:47 +0100, Rafael Laboissiere a écrit :
> * Sébastien Villemot <sebastien at debian.org> [2016-02-01 13:48]:
> >
> > Le lundi 01 février 2016 à 07:23 +0100, Rafael Laboissiere a écrit :
> >>
> >> For all Octave-Forge add-on packages providing .oct, Lintian issues the 
> >> hardening-no-bindnow warning.  I prepared in Git (commit 3147799) a new 
> >> version of octave-pkg-dev (1.3.3) that adds the appropriate linker flag 
> >> to avoid that warning.  Please, upload it to unstable.
> >
> > Could you possibly give us more background on your adding of this 
> > specific linker flag? At this stage I don't have a clear understanding 
> > of why it is needed in the first place, and what are the potential 
> > implications for oct-forge packages.
> 
> I apologize for not giving the context of the change.  Thanks for asking 
> me to do it.
> 
> I am not sure this is really needed for the OF packages, but it is 
> recommended for hardening them [1].  Lintian issues a warning tagged "X" 
> (experimental) for all OF packages shipping *.oct files (e.g., 
> octave-signal [2]).  When the OF packages are built against the version 
> of octave-pkg-dev that is currently in the Git branch master, then the 
> Lintian warning is gone.
> 
> If the setting of the bindnow linker flag does not harm the packages, I 
> guess we should do it.

Given that 1) octave stuff is not security-critical software and 2) some
(but not all) hardening features have a negative performance impact, my
natural tendency would be to stick to the hardening features enabled by
default when using dpkg-buildflags (as we do). Those features currently
are: format, fortify, stackprotectorstrong, relro.

In the particular case of the feature that you propose to activate
(bindnow), it seems that it has no drawback, so I am not opposed to it,
though I would still prefer to stick to the default flags by principle. 

By the way, note that the preferred way of activating the bindnow
hardening feature seems to be:

  export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow

rather than manipulating directly the LDFLAGS (see the dpkg-buildflags
manpage).

Mike, Thomas, what do you think?

-- 
 .''`.    Sébastien Villemot
: :' :    Debian Developer
`. `'     http://sebastien.villemot.name
  `-      GPG Key: 4096R/381A7594

More information about the Pkg-octave-devel mailing list