Emilio, could you please post this to the upstream gitLab.isc.org? Ping me when you create the account, I will have to bump the project limit, so you can fork.
I would be happy to merge this upstream. Fortunately, I’ve already changed the build system to use automake in the development branch, but it was quite an effort, so I didn’t make it in time for 9.16, but the next stable (9.18) will be pretty standard. Ondřej -- Ondřej Surý <ond...@sury.org> (He/Him) > On 4. 5. 2021, at 11:21, Emilio Pozuelo Monfort <po...@debian.org> wrote: > > Package: bind9 > Severity: normal > > Hi, > > While doing a bind9 update for stretch LTS, Anton Gladky added a salsa > pipeline which had a blhc (build log hardening check) test that was > failing. > > I have investigated it and found that bind9 is not using automake and while > it tries to honor most *FLAGS variables, it ignores CPPFLAGS. The attached > patch makes it honor CPPFLAGS, so that Debian's default flags (e.g. > -D_FORTIFY_SOURCE=2) get passed. A small diff from the build logs: > > -libtool: compile: gcc -include /build/bind9-9.16.13/config.h > -I/build/bind9-9.16.13 -I../../.. -I./include -I./../unix/include > -I./../pthreads/include -I../include -I./../include -I./.. > -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 > -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith > -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o > >/dev/null 2>&1 > +libtool: compile: gcc -Wdate-time -D_FORTIFY_SOURCE=2 -include > /build/bind9-9.16.13/config.h -I/build/bind9-9.16.13 -I../../.. -I./include > -I./../unix/include -I./../pthreads/include -I../include -I./../include > -I./.. -I/usr/include/json-c -I/usr/include/libxml2 -g -O2 > -ffile-prefix-map=/build/bind9-9.16.13=. -fstack-protector-strong -Wformat > -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks > -DNO_VERSION_DATE -DDIG_SIGCHASE -pthread -fPIC -W -Wall -Wmissing-prototypes > -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith > -Wno-missing-field-initializers -fno-strict-aliasing -c tlsdns.c -o tlsdns.o > >/dev/null 2>&1 > > I have not tested the resulting package, but it should probably be alright > to add this after the current freeze. > > Thanks, > Emilio > > -- System Information: > Debian Release: bullseye/sid > APT prefers testing-security > APT policy: (500, 'testing-security'), (200, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-5-amd64 (SMP w/12 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), > LANGUAGE=en_GB:en > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages bind9 depends on: > ii adduser 3.118 > ii bind9-libs 1:9.16.13-1 > pn bind9-utils <none> > ii debconf [debconf-2.0] 1.5.75 > ii dns-root-data 2021011101 > ii init-system-helpers 1.60 > ii iproute2 5.10.0-4 > ii libc6 2.31-11 > ii libcap2 1:2.44-1 > ii libfstrm0 0.6.0-1+b1 > ii libjson-c5 0.15-2 > ii liblmdb0 0.9.24-1 > ii libmaxminddb0 1.5.2-1 > ii libprotobuf-c1 1.3.3-1+b2 > ii libssl1.1 1.1.1k-1 > ii libuv1 1.40.0-1 > ii libxml2 2.9.10+dfsg-6.3+b1 > ii lsb-base 11.1.0 > ii netbase 6.2 > ii zlib1g 1:1.2.11.dfsg-2 > > bind9 recommends no packages. > > Versions of packages bind9 suggests: > pn bind-doc <none> > ii bind9-dnsutils [dnsutils] 1:9.16.13-1 > ii dnsutils 1:9.16.13-1 > pn resolvconf <none> > pn ufw <none> > <bind9.debdiff>
