Le dimanche 07 septembre 2014 à 21:35 +0200, Eduard Bloch a écrit : > Hallo, > * Guillaume Delacour [Sun, Sep 07 2014, 08:54:13PM]: > > Le dimanche 07 septembre 2014 à 03:40 +0200, Guillaume Delacour a > > écrit : > > > Package: apt-cacher-ng > > > Version: 0.7.27-1 > > > Severity: important > > > Tags: patch > > > User: hardening-disc...@lists.alioth.debian.org > > > Usertags: goal-hardening > > > > > > Hello, > > > > > > Please find attached a patch that enable all hardening flags in your > > > package. > > > > > > Although apt-cacher-ng use dh/9, CPPFLAGS (fortify) was not enabled. > > > Besides since debhelper 0.9.20120417 handle the workaround appending > > > CPPFLAGS to CXXFLAGS, i still had to do (i've not investigated though). > > > I've also enabled the optionals pie and bindnow. > > > > debhelper must handle the situation > > (/usr/share/perl5/Debian/Debhelper/Buildsystem/cmake.pm, sub configure) > > and enable verbose compiler command lines, there is a problem somewhere > > (due to package or in debhelper itself). As it concerns some other > > packages, i'll take a look and report back. > > Uhm... I have a wrapper GNUMakefile there for convenience, which builds > the source out-of-source-tree and also extends CXXFLAGS as needed. Maybe > that's the reason why tweaking CMake internal variables is not really > effective. > > And I guess that this method is not uncommon since CMake tends to be > very messy and the best way to get reproducible builds actually to make > OOST builds and wipe the directory on cleaning.
This is exactly the reason why debhelper does not consider a "real"
cmake build system because of the presence of GNUmakefile.
To have a verbose build instead of "dh_auto_build -- VERBOSE=1":
export CMAKEOPTS+=-DCMAKE_VERBOSE_MAKEFILE=ON
Do the job but when the fortify flag disappear (!).
For CPPFLAGS (which is ignored by CMake itself) i tried different
methods such as:
include /usr/share/dpkg/buildflags.mk
CFLAGS+=$(CPPFLAGS)
CXXFLAGS+=$(CPPFLAGS)
Another one:
export CMAKEOPTS+=-DCMAKE_VERBOSE_MAKEFILE=ON
-DCMAKE_C_FLAGS_RELWITHDEBINFO:STRING="$(CXXFLAGS) -D_FORTIFY_SOURCE=2"
With no success.
Anyway, the first patch works (but maybe need some documentation about
the special usecase) but feel free to do different, the goal is to
enable all build flags dynamically through dpkg-buildflags to handle
future compiler options and have a verbose build (mean full compiler
command lines) to check presence of flags in buildd logs.
You can use hardening-wrapper (from hardening-includes package) to test
the generated binary against flags:
$ hardening-check build/apt-cacher-ng
build/apt-cacher-ng:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
>
> Regards,
> Eduard.
>
--
Guillaume Delacour <g...@iroqwa.org>
signature.asc
Description: This is a digitally signed message part
