Enabling hardened build flags for Perl modules

Moritz Mühlenhoff jmm at inutil.org
Mon Jan 2 19:40:01 UTC 2012


On Sun, Jan 01, 2012 at 08:06:34PM -0800, Russ Allbery wrote:
> Moritz Muehlenhoff <jmm at debian.org> writes:
> 
> > Security-hardened build flags are a release goal for Wheezy:
> > http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
> 
> > I've been looking into all the packages, which had a DSA in the
> > last 5 years and started to submit patches.
> 
> > Since the Debian Perl Group maintains most Perl modules I'd like
> > to discuss how to enable hardened build flags for those modules,
> > which are arch:any.
> 
> > Most of the modules seem to have been converted to dh. When
> > run in debian/compat mode 9, dh automatically injects the
> > hardened build flags emitted by dpkg-buildflags:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544844
> 
> I replied to you along the same lines privately about rssh, but one of my
> concerns (not that I'm at all active in the pkg-perl group at the moment,
> so please weigh this accordingly) is that debhelper compat levle 9 is not
> finalized yet yet and is experimental.  Presumably Joey is doing that for
> a good reason.  It would be a lot more comfortable to switch to dh 9 after
> debhelper 9 has been released, rather than still able to undergo
> non-backward-compatible changes.

[This is not directly related to pkg-perl, since all these modules
are mostly alike, there's also the possibility of enabling hardened
build flags for Perl modules based on compat level 8]

There have been many packages, which converted to compat level 9
(my gut feeling 150-200) already and the first build flags code
is available since nearly half a year. It's working find and while
there are always refinements there can hardly be massive changes anymore.
The freeze is only five months away and I'd rather see people
going forward with a straighforward solution than letting them 
inject build flags on their own (which many people fail to do 
properly: Before I started to submit patches last week, there 
have been very few maintainers, who figured out how to enable 
hardened build flags properly).

Cheers,
        Moritz









More information about the pkg-perl-maintainers mailing list