[Pkg-octave-devel] [RFU] octave-pkg-dev 1.3.3
Sébastien Villemot
sebastien at debian.org
Mon Feb 1 17:20:11 UTC 2016
Le lundi 01 février 2016 à 14:47 +0100, Rafael Laboissiere a écrit :
> * Sébastien Villemot <sebastien at debian.org> [2016-02-01 13:48]:
> >
> > Le lundi 01 février 2016 à 07:23 +0100, Rafael Laboissiere a écrit :
> >>
> >> For all Octave-Forge add-on packages providing .oct, Lintian issues the
> >> hardening-no-bindnow warning. I prepared in Git (commit 3147799) a new
> >> version of octave-pkg-dev (1.3.3) that adds the appropriate linker flag
> >> to avoid that warning. Please, upload it to unstable.
> >
> > Could you possibly give us more background on your adding of this
> > specific linker flag? At this stage I don't have a clear understanding
> > of why it is needed in the first place, and what are the potential
> > implications for oct-forge packages.
>
> I apologize for not giving the context of the change. Thanks for asking
> me to do it.
>
> I am not sure this is really needed for the OF packages, but it is
> recommended for hardening them [1]. Lintian issues a warning tagged "X"
> (experimental) for all OF packages shipping *.oct files (e.g.,
> octave-signal [2]). When the OF packages are built against the version
> of octave-pkg-dev that is currently in the Git branch master, then the
> Lintian warning is gone.
>
> If the setting of the bindnow linker flag does not harm the packages, I
> guess we should do it.
Given that 1) octave stuff is not security-critical software and 2) some
(but not all) hardening features have a negative performance impact, my
natural tendency would be to stick to the hardening features enabled by
default when using dpkg-buildflags (as we do). Those features currently
are: format, fortify, stackprotectorstrong, relro.
In the particular case of the feature that you propose to activate
(bindnow), it seems that it has no drawback, so I am not opposed to it,
though I would still prefer to stick to the default flags by principle.
By the way, note that the preferred way of activating the bindnow
hardening feature seems to be:
export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow
rather than manipulating directly the LDFLAGS (see the dpkg-buildflags
manpage).
Mike, Thomas, what do you think?
--
.''`. Sébastien Villemot
: :' : Debian Developer
`. `' http://sebastien.villemot.name
`- GPG Key: 4096R/381A7594
More information about the Pkg-octave-devel
mailing list