Package: blhc Version: 0.07+20161116+gitbf41976 Severity: normal
Dear Maintainer, SUMMARY: On https://qa.debian.org/bls/packages/m/mpgrafic.html, blhc, which is presumably the version of blhc presently in sid, i.e. blhc-0.07+20161116+gitbf41976, incorrectly labels builds of mpgrafic as "I no-compiler-commands", although mpgrafic does *both* fortran and C compilation using frontends to gcc. DETAILS: The program mpgrafic uses MPI (message passing library) to run on multiple computers with non-shared memory. Typical MPI implementations (openmpi, mpich) provide the developer with front ends to C and fortran compilers, which are called `mpicc' and `mpifort' (or older: mpif90), respectively. Mpgrafic uses both of these - the main code is in fortran, some is in C. The build logs https://buildd.debian.org/status/fetch.php?pkg=mpgrafic&arch=amd64&ver=0.3.10-1&stamp=1485681787&raw=1 https://buildd.debian.org/status/fetch.php?pkg=mpgrafic&arch=arm64&ver=0.3.10-1&stamp=1485681802&raw=1 https://buildd.debian.org/status/fetch.php?pkg=mpgrafic&arch=i386&ver=0.3.10-1&stamp=1485681858&raw=1 each contain three lines equal or similar to: mpicc -DHAVE_CONFIG_H -I. -I.. -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/«PKGBUILDDIR»=. -fstack-protector-strong -Wformat -Werror=format-security -c -o parallel_io.o parallel_io.c which to a human reader, clearly indicate that the C compilation is done with the gcc backend, using the expected hardening options. But blhc misses this. ELEMENTS OF A SOLUTION: (1) One-way detection: mpicc compilation with hardening: Blhc should be able to check for regex's such as "mpicc.*-D_FORTIFY_SOURCE=2.*-fstack-protector-strong.*-Wformat.*-Werror=format-security" and allow for different valid orderings of these options. In this case, it would be safe to override the "no-compiler-commands" info message, and to consider that hardening is enabled. But probably (2) would be a safer, more modular option: (2) Detecting mpicc as a front end to gcc: The build log https://buildd.debian.org/status/fetch.php?pkg=mpgrafic&arch=amd64&ver=0.3.10-1&stamp=1485681787&raw=1 contains (with line numbers): 680 checking for gcc... gcc 681 checking whether we are using the GNU C compiler... yes 682 checking whether gcc accepts -g... yes 683 checking for gcc option to accept ISO C89... none needed 684 checking whether gcc understands -c and -o together... yes 685 checking for style of include used by make... GNU 686 checking dependency style of gcc... none 687 checking for main in -lgcc... yes 688 checking for cblas_dgemv in -lgslcblas... yes 689 checking for gsl_spline_init in -lgsl... yes 690 checking for mpicc... mpicc While the configure order of checking for gcc and mpicc might not, in general, give lines that are this close to one another, maybe the whole `configure' section of the build log could be searched to see if both the GNU C compiler and mpicc are configured. In that case, the usual checks for absence of hardening options can be made later in the perl script, where "mpicc" is the name of the compiler. COMMENT: I'm not sure if any hardening options are valid and recommended for gfortran - which is a fortran front end to gcc. -- System Information: Debian Release: sid Architecture: amd64 (x86_64), arm64, i386
