On Wed, Apr 04, 2012 at 11:45:38PM +0200, Niels Thykier wrote:
> * Remove bindnow and nopie tags
>- It was not possible to trigger them (not enabled).
I guess this is okay since we'd need to rebuild lintian to get the new
dpkg-buildflags defaults if pie was enabled for an arch.
-Kees
--
Ke
On 2012-04-01 17:16, Niels Thykier wrote:
> [...]
>
> I have rebased the branch and it is now available from [1] and I
> intend to merge it into master before we do the 2.5.7 release.
> As mentioned, I have added a new test suite hook[0], which some
> may (or may not) find controversial.
>
> Assu
On 2012-04-02 18:28, Kees Cook wrote:
> On Mon, Apr 02, 2012 at 11:25:26AM +0200, Niels Thykier wrote:
>> No, At least the "hardening-no-stackprotector" can be triggered in a
>> perfectly safe program where the stack protector is not needed. We
>> worked around this in the test suite by ensuring t
On Mon, Apr 02, 2012 at 11:25:26AM +0200, Niels Thykier wrote:
> No, At least the "hardening-no-stackprotector" can be triggered in a
> perfectly safe program where the stack protector is not needed. We
> worked around this in the test suite by ensuring there was a stack
> that needed protection,
On Apr 1, 2012 17:42 "Kees Cook" wrote:
> On Sun, Apr 01, 2012 at 05:16:38PM +0200, Niels Thykier wrote:
> [...]
> > Kees, btw, are you certain of the copyright statements in
> > collection/hardening-info?
> >
> > """
> > # The original shell script version of this script is
> > # Copyright (C) 1
On Sun, Apr 01, 2012 at 05:16:38PM +0200, Niels Thykier wrote:
> Thanks, I have pushed it to my branch (with a minor change to also update
> the Depends of lintian in d/control).
Great!
> Kees, btw, are you certain of the copyright statements in
> collection/hardening-info?
>
> """
> # The origi
On Apr 1, 2012 09:21 "Kees Cook" wrote:
> Hi Niels,
>
> On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
> > I have started an unofficial branch[1] to get something more
> > concrete on
> > this. I decided to rename the tags so they had a common prefix (it
> > simplified the update
Hi Niels,
On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
> I have started an unofficial branch[1] to get something more concrete on
> this. I decided to rename the tags so they had a common prefix (it
> simplified the updated to t/scripts/implemented-tags.t).
Attached is a patch
On 2012-03-11 13:37, Kees Cook wrote:
> On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
>> I have bumped the debhelper standard test suite to use compat 9 by
>> default. I doubt it will fix all the failures we saw, but at least the
>> standard flags are enabled by default.
>
> When
On Sun, Mar 11, 2012 at 12:16:09AM +0100, Niels Thykier wrote:
> I have bumped the debhelper standard test suite to use compat 9 by
> default. I doubt it will fix all the failures we saw, but at least the
> standard flags are enabled by default.
When I was playing with it, this solved a lot but n
On 2012-03-06 20:26, Kees Cook wrote:
> Hi Russ,
>
> On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
>> Kees Cook writes:
>>
Hi,
I have started an unofficial branch[1] to get something more concrete on
this. I decided to rename the tags so they had a common prefix (it
simplified
On Tue, Mar 06, 2012 at 11:36:42AM -0800, Russ Allbery wrote:
> Kees Cook writes:
>
> > Okay. In that case, I think the work needs to be broken into several pieces:
>
> > - make lintian work for wheezy (but disable internal tests for hardening)
>
> A better way than disabling it might be to jus
Kees Cook writes:
> Okay. In that case, I think the work needs to be broken into several pieces:
> - make lintian work for wheezy (but disable internal tests for hardening)
A better way than disabling it might be to just list the expected tags
until the test cases have been revised to not issue
Hi Russ,
On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
> Kees Cook writes:
>
> > This was the big problem. I spent a lot of time trying to see how bad it
> > would be to fix every build in the testsuite to DTRT with respect to
> > dpkg-buildflags, but it was a losing battle. Or,
Kees Cook writes:
> On Tue, Mar 06, 2012 at 06:36:07PM +0100, Niels Thykier wrote:
>> Lintian.d.o, ftp-master.d.o and potentionally a lot of developers run
>> Lintian on a Debian/Squeeze. I suspect a static data file is better
>> than disabling it for Squeeze.
> Oh, you mean they'll run a squee
On Tue, Mar 06, 2012 at 06:36:07PM +0100, Niels Thykier wrote:
> On 2012-03-06 01:58, Kees Cook wrote:
> > Right -- though I have no way around this. All the pieces needed for
> > these checks come from the new dpkg-buildflags. Perhaps the hardening
> > check can be disabled for the backport, since
Kees Cook writes:
> This was the big problem. I spent a lot of time trying to see how bad it
> would be to fix every build in the testsuite to DTRT with respect to
> dpkg-buildflags, but it was a losing battle. Or, at least, a tedious
> battle. Ultimately I decided it was better to just have the
On 2012-03-06 01:58, Kees Cook wrote:
> On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
>> On 2012-03-05 04:47, Kees Cook wrote:
>>> - It requires the lastest dpkg-dev (still in experimental) to get
>>> the dpkg-buildflags that supports --query-features.
>>
> [...]
>> The second pr
On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
> On 2012-03-05 04:47, Kees Cook wrote:
> > - It requires the lastest dpkg-dev (still in experimental) to get
> > the dpkg-buildflags that supports --query-features.
>
> Unfortunately I see two issues here. First, we have been asked
On 2012-03-05 04:47, Kees Cook wrote:
> Okay, here's the latest version. Some notes:
>
Hi,
Thanks for the update.
> - It requires the lastest dpkg-dev (still in experimental) to get
> the dpkg-buildflags that supports --query-features.
>
Unfortunately I see two issues here. First, we have
Okay, here's the latest version. Some notes:
- It requires the lastest dpkg-dev (still in experimental) to get
the dpkg-buildflags that supports --query-features.
- The hardening checker only expects the hardened features that are
defaulted on for the architecture of the package it is examini
21 matches
Mail list logo
