Package: rsync Version: 3.1.1-1 Severity: normal Tags: patch Hello,
The additional hardening +all announced in the changelog is not applied because GNU Make's $(shell ..) doesn't expand environment variables which are set in the Makefile itself, including DEB_BUILD_MAINT_OPTIONS. The attached patch fixes this issue by manually passing DEB_BUILD_MAINT_OPTIONS to dpkg-buildflags (ugly, but the only way). The patch also removes the unnecessary setting of debug-flags (-O2 vs -O0 -g) which is now automatically handled by dpkg-buildflags (btw. -I is a preprocessor flag -> CPPFLAGS). An alternative solution would be dh7 style with compat=9 which respects DEB_BUILD_MAINT_OPTIONS. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
diff -Nru rsync-3.1.1/debian/rules rsync-3.1.1/debian/rules --- rsync-3.1.1/debian/rules 2014-07-10 14:20:46.000000000 +0200 +++ rsync-3.1.1/debian/rules 2014-07-10 22:02:37.000000000 +0200 @@ -12,7 +12,6 @@ SHELL = /bin/bash BINS = rsync -CFLAGS= -Wall -Izlib INSTALL = install INSTALL_FILE = $(INSTALL) -p -o root -g root -m 644 INSTALL_PROGRAM = $(INSTALL) -p -o root -g root -m 755 @@ -20,19 +19,11 @@ INSTALL_DIR = $(INSTALL) -p -d -o root -g root -m 755 export DEB_BUILD_MAINT_OPTIONS = hardening=+all -DPKG_EXPORT_BUILDFLAGS = 1 -CFLAGS += $(shell dpkg-buildflags --get CFLAGS) -LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) - -CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) - -# policy stuff -ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) -CFLAGS += -g -else -CFLAGS += -g -O2 -endif +dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS) dpkg-buildflags +CPPFLAGS := -Izlib $(shell $(dpkg_buildflags) --get CPPFLAGS) +CFLAGS := -Wall $(shell $(dpkg_buildflags) --get CFLAGS) +LDFLAGS := $(shell $(dpkg_buildflags) --get LDFLAGS) # backwards compatibility stuff, from dpkg-architecture manpage DEB_BUILD_ARCH := $(shell dpkg --print-architecture)
signature.asc
Description: Digital signature
