Your message dated Fri, 21 Nov 2014 08:19:46 +0100
with message-id <20141121071946.gd4...@mykerinos.kheops.frmug.org>
and subject line Re: [PATCH] shadow debhelper (Was: shadow (1:4.2-2+b2))
has caused the Debian Bug report #770273,
regarding shadow (1:4.2-2+b2) no longer built with hardening flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
770273: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770273
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: shadow
Version: 1:4.2-2+b2
Severity: serious
Tags: patch
It has been reported (but privately to me only) that the recent binNMU
dropped the hardening flags for the shadow source package.
A later analysis by Simon Ruderich mentioed this is related to cdbs
and #712729. Simon provided a patch which I intend to apply in jessie,
after seeking approval by the release team.
----- Forwarded message from "Dr. Markus Waldeck" <wald...@gmx.de> -----
Date: Sun, 9 Nov 2014 14:27:36 +0100
From: "Dr. Markus Waldeck" <wald...@gmx.de>
To: Christian Perrier <bubu...@debian.org>
Cc: Simon RudĀerich <si...@ruderich.org>
Subject: shadow (1:4.2-2+b2)
X-CRM114-Status: UNSURE (-0.4308) This message is 'unsure'; please train it!
Hi Christian,
WHO triggered this "Binary-only non-maintainer upload for amd64"?
It fucked up the correct applied hardening settings for shadow (1:4.2-2+b1)
Thanks!
Markus
----- End forwarded message -----
--
diff -Nru shadow-4.2/debian/control shadow-4.2/debian/control
--- shadow-4.2/debian/control 2014-04-30 22:28:06.000000000 +0200
+++ shadow-4.2/debian/control 2014-11-10 13:30:34.000000000 +0100
@@ -5,6 +5,7 @@
Standards-Version: 3.9.5
Uploaders: Christian Perrier <bubu...@debian.org>, Nicolas FRANCOIS (Nekral) <nicolas.franc...@centraliens.net>
Build-Depends: dh-autoreconf, gettext, libpam0g-dev, debhelper (>= 6.0.7~), quilt, dpkg-dev (>= 1.13.5), xsltproc, docbook-xsl, docbook-xml, libxml2-utils, cdbs, libselinux1-dev [linux-any], libsemanage1-dev [linux-any], gnome-doc-utils (>= 0.4.3), bison, libaudit-dev [linux-any]
+ ,hardening-wrapper
Vcs-Git: git://anonscm.debian.org/git/pkg-shadow/shadow.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-shadow/shadow.git;a=summary
Homepage: http://pkg-shadow.alioth.debian.org/
diff -Nru shadow-4.2/debian/rules shadow-4.2/debian/rules
--- shadow-4.2/debian/rules 2014-04-30 22:28:06.000000000 +0200
+++ shadow-4.2/debian/rules 2014-11-10 13:30:34.000000000 +0100
@@ -3,6 +3,8 @@
DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+export DEB_BUILD_HARDENING=1
+
# Enable PIE, BINDNOW, and possible future flags.
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 4.2-3
Quoting Simon Ruderich (si...@ruderich.org):
> >> Please apply the following patch to shadow (a temporary solution
> >> only, I know) and rebuild it to get all hardening flags into
> >> Jessie which is important for setuid binaries. In the longer run,
> >> shadow should IMHO just switch to debhelper which gets the
> >> hardening right and doesn't break it almost every release.
Version 4.2-3 just hit unstable and I'm in the process of asking the
release team for an unblock.
I actually reported #770273 with the "missing hardening flags"
reported by Markus. The upload didn't close the bug because....I
forgot the Closes line, so I'm closing the bug with this very mail.
Thanks for your help, Simon. And thanks for reporting to Markus.
--- End Message ---
