Package: libruby2.3
Version: 2.3.0-5
Severity: normal
Hello
When building package rrdtool, I tried adding in my d/rules:
export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
lintian stop complaining about "hardening-no-bindnow" for all packages but
one: ruby-rrd.
The package uses this extconf.rb:
-- 8< ---------------
require 'mkmf'
dir_config("rrd",['$(ABS_TOP_BUILDDIR)/src',
'$(ABS_TOP_SRCDIR)/src'],'$(ABS_TOP_BUILDDIR)/src/.libs')
have_library("rrd", "rrd_create")
create_makefile("RRD")
-- 8< ---------------
and the compilation is:
gcc -I. -I/usr/include/x86_64-linux-gnu/ruby-2.3.0
-I/usr/include/ruby-2.3.0/ruby/backward
-I/usr/include/ruby-2.3.0 -I. -I/<<PKGBUILDDIR>>/src -I/<<PKGBUILDDIR>>/src
-Wdate-time
-D_FORTIFY_SOURCE=2 -fPIC -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -fPIC -o main.o -c main.c
gcc -shared -o RRD.so main.o -L. -L/usr/lib/x86_64-linux-gnu
-L/<<PKGBUILDDIR>>/src/.libs
-L. -Wl,-z,relro -fstack-protector -rdynamic -Wl,-export-dynamic
-lruby-2.3 -lrrd
-lpthread -lgmp -ldl -lcrypt -lm -lc
As you can see, "-Wl,-z,now" is missing from the LDFLAGS.
If I add to my extconf.rb:
$CFLAGS = ENV['CFLAGS']
$CPPFLAGS = ENV['CPPFLAGS']
$CXXFLAGS = ENV['CXXFLAGS']
$LDFLAGS = ENV['LDFLAGS']
or
$CFLAGS << ' ' + ENV['CFLAGS']
$CPPFLAGS << ' ' + ENV['CPPFLAGS']
$CXXFLAGS << ' ' + ENV['CXXFLAGS']
$LDFLAGS << ' ' + ENV['LDFLAGS']
then debhelper uses the correct flags.
I have the feeling all the flags are hard-coded from
/usr/lib/x86_64-linux-gnu/ruby/2.3.0/rbconfig.rb
which is the wrong thing to do.
Any chance this can be fixed globally?
