Bug#800069: dpkg-buildpackage: please call dpkg-buildflags --status on build

Sat, 26 Sep 2015 03:36:57 -0700 

Package: dpkg-dev
Version: 1.18.3
Severity: normal
Tags: patch

Hello,

blhc is used in the buildd log scanner [1] to detect missing
compiler (hardening) flags. At the moment only the default flags
provided by dpkg-buildflags are verified as blhc can't detect
additional flag options specified in debian/rules (e.g.
hardening=+pie or hardening=-fortify to exclude hardening flags).
Since dpkg 1.16.5 dpkg-buildflags supports a --status option
which displays the current settings.

Please call dpkg-buildflags --status when building a package.

The attached patch implements this for dpkg-buildpackage. The
make --eval .. solution is necessary because the actually used
flags are only known "inside" debian/rules (via environment
variables like DEB_BUILD_MAINT_OPTIONS or DEB_flag_MAINT_PREPEND
etc.). Calling just dpkg-buildflags from dpkg-buildpackage will
only show the default flags. What's necessary is to run
dpkg-buildflags from debian/rules for the proper environment,
without modifying the file itself.

If you know a better solution for this issue, please implement
it. It feels a bit hacky.

Regards
Simon

[1]: https://qa.debian.org/bls/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

--- /usr/bin/dpkg-buildpackage	2015-09-21 08:14:09.000000000 +0200
+++ dpkg-buildpackage	2015-09-26 12:26:12.021323238 +0200
@@ -566,6 +566,20 @@
 }
 
 if ($include & BUILD_BINARY) {
+    # Print information about compiler flags to be later used when parsing the
+    # build log (e.g. by blhc). The package maintainer controls which compiler
+    # flags are used through several environment variables (e.g.
+    # DEB_BUILD_MAINT_OPTIONS, see man dpkg-buildflags for details) which are
+    # only available from "inside" debian/rules, thus calling just
+    # dpkg-buildflags is not enough. Errors are not fatal, ignore them.
+    system('make', '--eval', <<'EOF', 'run-dpkg-buildflags-status');
+include debian/rules
+
+.PHONY: run-dpkg-buildflags-status
+run-dpkg-buildflags-status:
+	@dpkg-buildflags --status
+EOF
+
     withecho(@debian_rules, $buildtarget);
     run_hook('binary', 1);
     withecho(@rootcommand, @debian_rules, $binarytarget);

Attachment: signature.asc
Description: PGP signature

Reply via email to