Hi!
On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
> Package: dpkg
> Version: 1.18.4
> Severity: wishlist
> Tags: patch
> User: bal...@balintreczey.hu
> Usertags: hardened1-linux-amd64
> This is the second patch enabling extra flags in dpkg in case the
> hardened1-linux-amd64 port is accepted in #812782.
> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
> index db40b2c..2f39d82 100644
> --- a/scripts/Dpkg/Vendor/Debian.pm
> +++ b/scripts/Dpkg/Vendor/Debian.pm
> @@ -177,6 +177,14 @@ sub _add_reproducible_flags {
> + my $arch = get_host_arch();
> + my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
> +
> + unless (defined $abi and defined $os and defined $cpu) {
> + warning(g_("unknown host architecture '%s'"), $arch);
> + ($abi, $os, $cpu) = ('', '', '');
> + }
> +
> + if ($abi =~ /^(?:gnuhardened1)$/) {
> + # Enable address and undefined behavior sanitizers for the
> + # hardened ports
> + $use_feature{address} = 1;
> + $use_feature{undefined} = 1;
> + }
> +
> + if ($abi =~ /^(?:gnuhardened1)$/) {
> + # Enable bindnow on hardened ports
> + $use_feature{bindnow} = 1;
> + }
> +
Unfortunately I don't think this is a good idea. Due to at least two
reasons. First not all packages are using dpkg-buildflags, which means
that many will simply fail to build if one of the libraries they use
is using ASAN but the program is not (AFAIUI). And because this is
part of the ABI so it should really be a default in the compiler. This
is part of the architecure definition. So this to me seems like the
wrong place to set these.
Thanks,
Guillem
