Control: severity -1 wishlist Hi!
On Sat, 2015-09-26 at 12:33:06 +0200, Simon Ruderich wrote: > Package: dpkg-dev > Version: 1.18.3 > Severity: normal > Tags: patch > blhc is used in the buildd log scanner [1] to detect missing > compiler (hardening) flags. At the moment only the default flags > provided by dpkg-buildflags are verified as blhc can't detect > additional flag options specified in debian/rules (e.g. > hardening=+pie or hardening=-fortify to exclude hardening flags). > Since dpkg 1.16.5 dpkg-buildflags supports a --status option > which displays the current settings. > > Please call dpkg-buildflags --status when building a package. Hmmm, while I understand why this is very tempting, it kind of goes against the current design of our source packages. If debian/rules was a purely declarative file that dpkg-buildpackage would parse and handle the entire build process from within, then this would seem very appropriate, but as it is it seems a bit wrong. Although in that case blhc could probably also parse the declarative file directly to know which flags had been enabled. > The attached patch implements this for dpkg-buildpackage. The > make --eval .. solution is necessary because the actually used > flags are only known "inside" debian/rules (via environment > variables like DEB_BUILD_MAINT_OPTIONS or DEB_flag_MAINT_PREPEND > etc.). Calling just dpkg-buildflags from dpkg-buildpackage will > only show the default flags. What's necessary is to run > dpkg-buildflags from debian/rules for the proper environment, > without modifying the file itself. In addition this only covers part of the problem, and might give a false sense of knowlegde for people reading the build logs, which might be even more confusing. Consider that any usage of --export=cmdline or --export=configure will be missed, like the ones in dpkg itself or pcre3. > If you know a better solution for this issue, please implement > it. It feels a bit hacky. While this is a clever solution, it indeed feels a bit too dirty. Thanks, Guillem
