Package: pygpiv
Severity: normal
Tags: patch
Hi,
The hardened build flags is one of the release goals of forthcoming
Debian releases. Number of security problems in the past have been
identified in packages that hadn't been fortified. For more
information, see:
http://lists.debian.org/debian-devel-announce/2012/02/msg00016.html
http://lists.debian.org/debian-dpkg/2011/09/msg00013.html
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
See attached patch to help to migrate to hardened flags. At the same
time I fixed items reported by Lintian and upgraded the package to the
latest tools and standards version.
Thanks,
Jari
>From 4ef63ba55cee9fcce0ad0229e50284d63c73c0d0 Mon Sep 17 00:00:00 2001
From: Jari Aalto <jari.aa...@cante.net>
Date: Sat, 7 Apr 2012 09:49:19 +0300
Subject: [PATCH] harden
Organization: Private
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Signed-off-by: Jari Aalto <jari.aa...@cante.net>
---
debian/README.source | 38 --------------------
debian/changelog | 11 ++++++
debian/compat | 2 +-
debian/control | 4 +-
.../{01_python2.6.diff => 01_python2.6.patch} | 8 +---
...include.diff => 02_fix_multiarch_include.patch} | 8 +---
debian/patches/series | 4 +-
debian/rules | 12 ++++++-
8 files changed, 31 insertions(+), 56 deletions(-)
delete mode 100644 debian/README.source
rename debian/patches/{01_python2.6.diff => 01_python2.6.patch} (69%)
mode change 100755 => 100644
rename debian/patches/{02_fix_multiarch_include.diff => 02_fix_multiarch_include.patch} (82%)
mode change 100755 => 100644
diff --git a/debian/README.source b/debian/README.source
deleted file mode 100644
index fc98b3d..0000000
--- a/debian/README.source
+++ /dev/null
@@ -1,38 +0,0 @@
-This package uses dpatch to manage all modifications to the upstream
-source. Changes are stored in the source package as diffs in
-debian/patches and applied during the build.
-
-To get the fully patched source after unpacking the source package, cd
-to the root level of the source package and run:
-
- debian/rules patch
-
-Removing a patch is as simple as removing its entry from the
-debian/patches/00list file, and please also remove the patch file
-itself.
-
-Creating a new patch is done with "dpatch-edit-patch patch XX_patchname"
-where you should replace XX with a new number and patchname with a
-descriptive shortname of the patch. You can then simply edit all the
-files your patch wants to edit, and then simply "exit 0" from the shell
-to actually create the patch file.
-
-To tweak an already existing patch, call "dpatch-edit-patch XX_patchname"
-and replace XX_patchname with the actual filename from debian/patches
-you want to use.
-
-To clean up afterwards again, "debian/rules unpatch" will do the
-work for you - or you can of course choose to call
-"fakeroot debian/rules clean" all together.
-
-
----
-
-this documentation is part of dpatch package, and may be used by
-packages using dpatch to comply with policy on README.source. This
-documentation is meant to be useful to users who are not proficient in
-dpatch in doing work with dpatch-based packages. Please send any
-improvements to the BTS of dpatch package.
-
-original text by Gerfried Fuchs, edited by Junichi Uekawa <dan...@debian.org>
-10 Aug 2008.
diff --git a/debian/changelog b/debian/changelog
index 5372b7f..7ed191b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+pygpiv (2.0.0-4.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Upgrade to packaging format "3.0 quilt".
+ * Convert dpatch format *.diff files into DEP3, README.source not needed.
+ * Update to Standards-Version to 3.9.3.1 and debhelper to 9.
+ * Use hardened build flags and dh_prep in rules file
+ http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
+
+ -- Jari Aalto <jari.aa...@cante.net> Sat, 07 Apr 2012 09:29:49 +0300
+
pygpiv (2.0.0-4) unstable; urgency=low
* Repairs python dependency on hdf5.
diff --git a/debian/compat b/debian/compat
index 1e8b314..ec63514 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-6
+9
diff --git a/debian/control b/debian/control
index 22ba977..a4b8717 100644
--- a/debian/control
+++ b/debian/control
@@ -3,9 +3,9 @@ Section: python
Priority: extra
Maintainer: Gerber van der Graaf <gerber_gr...@users.sourceforge.net>
X-Python-Version: >=2.7
-Standards-Version: 3.9.2
+Standards-Version: 3.9.3.1
Homepage: http://libgpiv.sourceforge.net/pygpiv.html
-Build-Depends: debhelper (>= 6), python-all-dev (>= 2.6.6-3~),
+Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), python-all-dev (>= 2.6.6-3~),
swig, libglib2.0-dev, libfftw3-dev, libgsl0-dev,
libhdf5-dev (>= 1.8.8), libnetpbm10-dev, libpng-dev, libgpiv3-dev
diff --git a/debian/patches/01_python2.6.diff b/debian/patches/01_python2.6.patch
old mode 100755
new mode 100644
similarity index 69%
rename from debian/patches/01_python2.6.diff
rename to debian/patches/01_python2.6.patch
index a93ed6a..1ae0bc0
--- a/debian/patches/01_python2.6.diff
+++ b/debian/patches/01_python2.6.patch
@@ -1,10 +1,6 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## python2.6.dpatch by <ger...@hamburg.upc.es>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
+From: <ger...@hamburg.upc.es>
+Subject: No description.
-@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pygpiv-2.0.0~/pygpiv.i pygpiv-2.0.0/pygpiv.i
--- pygpiv-2.0.0~/pygpiv.i 2009-11-03 19:44:41.000000000 +0100
+++ pygpiv-2.0.0/pygpiv.i 2010-03-02 15:50:22.000000000 +0100
diff --git a/debian/patches/02_fix_multiarch_include.diff b/debian/patches/02_fix_multiarch_include.patch
old mode 100755
new mode 100644
similarity index 82%
rename from debian/patches/02_fix_multiarch_include.diff
rename to debian/patches/02_fix_multiarch_include.patch
index 298daad..12a56cc
--- a/debian/patches/02_fix_multiarch_include.diff
+++ b/debian/patches/02_fix_multiarch_include.patch
@@ -1,10 +1,6 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 02_fix_multiarch_include.dpatch by Michael Terry <mte...@ubuntu.com>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Use pkg-config to find library needed for glib-2.0
+From: Michael Terry <mte...@ubuntu.com>
+Subject: Use pkg-config to find library needed for glib-2.0
-@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' pygpiv~/setup.py pygpiv/setup.py
--- pygpiv~/setup.py 2011-07-05 11:19:59.000000000 -0400
+++ pygpiv/setup.py 2011-07-05 11:20:43.348848694 -0400
diff --git a/debian/patches/series b/debian/patches/series
index ba06f05..fcc8e12 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,2 @@
-01_python2.6.diff
-02_fix_multiarch_include.diff
+01_python2.6.patch
+02_fix_multiarch_include.patch
diff --git a/debian/rules b/debian/rules
index a192652..bcb5ac6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,6 +10,14 @@
#export DH_VERBOSE=1
PREFIX := debian/python-gpiv/usr
+# NOTE: Sources wonät compile with all hardening enabled:
+# export DEB_BUILD_MAINT_OPTIONS= hardening=+all
+
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+CFLAGS += -Wall
+LDFLAGS += -Wl,--as-needed
clean:
dh_testdir
@@ -29,6 +37,8 @@ build-stamp:
dh_testdir
# Add here commands to compile the package.
+ CFLAGS="$(CFLAGS) $(CPPFLAGS)" \
+ LDFLAGS="$(LDFLAGS)" \
python ./setup.py build -b debian/python-gpiv
touch $@
@@ -36,7 +46,7 @@ build-stamp:
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
# Add here commands to install the package into debian/pygpiv.
python ./setup.py install --root=debian/python-gpiv
--
1.7.9.1
