On Sun, Apr 01, 2012 at 05:16:38PM +0200, Niels Thykier wrote: > Thanks, I have pushed it to my branch (with a minor change to also update > the Depends of lintian in d/control).
Great! > Kees, btw, are you certain of the copyright statements in > collection/hardening-info? > > """ > # The original shell script version of this script is > # Copyright (C) 1998 Christian Schwarz > # > # The objdump version, including support for etch's binutils, is > # Copyright (C) 2008 Adam D. Barratt > # > # This version, a trimmed-down wrapper for hardening-check, is > # Copyright (C) 2012 Kees Cook <k...@debian.org> > """ > > I suspect some of it is copy-waste from collection/objdump-info... Yeah, when collection/hardening-info started its life, it was largely copied from objdump-info. I wasn't sure if I should drop the copy rights from there, so I left them. If they shouldn't be there, then we can drop them (patch attached). > > After this patch, the TODO's single remaining item is: > > > > + revise tag certainty and description: > > - overrides (we can't do much about FP etc.) > > > > What is needed for this? Should I expand the descriptions more? Or was > > there something else? > > > > It was mostly a reminder to myself to review them and maybe add a > "disclaimer" on the false-positives. Yeah, I tried to do this in the descriptions already, but maybe it could be even more verbose. I wasn't sure to what level to get into the details of the potential false positives. I am, of course, open to any improvements! :) > There was also something else, namely making the test suite able to > handle the architecture specific nature of the hardening tags. I > have committed some code to handle this.[0] Assuming no one objects > to the approach, I think we are more or less good to go. Ah! Yeah, very cool. That had totally slipped my mind. > Optimally, Lintian would handle the architecture specific part of > these tags better in terms of overrides so people do not have to > maintain the archlist for their overrides. However, that can come > in Lintian 2.5.8 or some later time (if at all). Wouldn't overrides only be a problem if a maintainer disabled a hardening feature on a subset of the archs that expected it to be enabled? This seems unlikely, or maybe I've misunderstood. > I have rebased the branch and it is now available from [1] and I > intend to merge it into master before we do the 2.5.7 release. > As mentioned, I have added a new test suite hook[0], which some > may (or may not) find controversial. > > Assuming no comments/objections, I intend to merge the branch > into master before the end of Easter. Great! Thank you so much for all the help with this. :) -Kees -- Kees Cook @debian.org
diff --git a/collection/hardening-info b/collection/hardening-info index b7408be..3e9c6fa 100755 --- a/collection/hardening-info +++ b/collection/hardening-info @@ -1,13 +1,7 @@ #!/usr/bin/perl -w # hardening-info -- lintian collection script -# The original shell script version of this script is -# Copyright (C) 1998 Christian Schwarz -# -# The objdump version, including support for etch's binutils, is -# Copyright (C) 2008 Adam D. Barratt -# -# This version, a trimmed-down wrapper for hardening-check, is +# This trimmed-down wrapper for hardening-check is # Copyright (C) 2012 Kees Cook <k...@debian.org> # # This program is free software; you can redistribute it and/or modify
