Bug#657853: Building perl with hardened build flags

On Mon, 26 Mar 2012 18:46:54 +0100, Dominic Hargreaves wrote: > Just wanted to check - are you happy to prod the buildd maintainers > into making sure that debhelper >= 9.20120312 is installed, or should > I? I'd like to make sure that the changes I've got queued up don't > get forgotten about. >

Bug#657853: Building perl with hardened build flags

On Wed, Mar 14, 2012 at 11:04:16PM +, Dominic Hargreaves wrote: > On Wed, Feb 22, 2012 at 06:16:16PM +0100, Moritz Muehlenhoff wrote: > > > If it's only 30 packages we should rather push it into debhelper 9 now > > if that's okay with Joey. > > > > I'll make sure the 30 packages get rebuilt.

Bug#657853: Building perl with hardened build flags

Hi Dominic On Wed, Mar 14, 2012 at 11:06:45PM +, Dominic Hargreaves wrote: > > libdbd-pg-perl > > To be rebuilt by Moritz Maybe for this one, we could first wait one further day, to have the 2.19.0 upload in wheezy? It contains the fix for CVE-2012-1151. To all involved, many thanks for you

Bug#657853: Building perl with hardened build flags

On Sun, Feb 12, 2012 at 09:28:48PM +0100, Moritz Mühlenhoff wrote: > These four Perl modules had a DSA since 2006 and are not pure Perl: So, once the fixed debhelper is installed on buildds: > libhtml-parser-perl Ready for upload > libdbd-pg-perl To be rebuilt by Moritz > libimager-perl Read

Bug#657853: Building perl with hardened build flags

On Wed, Feb 22, 2012 at 06:16:16PM +0100, Moritz Muehlenhoff wrote: > If it's only 30 packages we should rather push it into debhelper 9 now > if that's okay with Joey. > > I'll make sure the 30 packages get rebuilt. I believe that debhelper 9.20120312 implements what we need. Niko pointed out

Bug#657853: Building perl with hardened build flags

On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote: > Problems/thoughts: Most of this got addressed with the implementation that landed in 5.14.2-9, so I think we're fine now. Concluding notes: > - we're invoking dpkg-buildflags in two places (debian/rules and > debian/config.debian), an

Bug#657853: Building perl with hardened build flags

On Thu, Feb 23, 2012 at 10:24:50PM +, Dominic Hargreaves wrote: > On Thu, Feb 23, 2012 at 11:49:31AM +0200, Niko Tyni wrote: > > I've pushed a slightly refined version of the patch. I'll file such a > > wishlist bug if/when this ends up in sid. > > Thanks. I'm inclined to release the current

Bug#657853: Building perl with hardened build flags

On Sun, Feb 12, 2012 at 09:27:24PM +0100, Moritz Mühlenhoff wrote: > If the missing format string is variable and controlled externally (e.g. > if read from a file or from network communication), please file it > with RC severity and the security tag. (If it's a popular Perl module, > please con

Bug#657853: Building perl with hardened build flags

On Thu, Feb 23, 2012 at 11:49:31AM +0200, Niko Tyni wrote: > On Tue, Feb 21, 2012 at 10:21:04PM +, Dominic Hargreaves wrote: > > > I'm in much the same situation as well; fairly limited hack time at > > the moment. > > > > So, not that this probably helps much, but: in order to make some > >

Bug#657853: Building perl with hardened build flags

On Tue, Feb 21, 2012 at 10:21:04PM +, Dominic Hargreaves wrote: > I'm in much the same situation as well; fairly limited hack time at > the moment. > > So, not that this probably helps much, but: in order to make some > progress with this, you could commit your patch as-is, and also open > a

Bug#657853: Building perl with hardened build flags

On Tue, Feb 21, 2012 at 10:37:48PM +, Dominic Hargreaves wrote: > Trying to pull a few of the subthreads together: > > On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote: > > On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote: > > > > That's a good point about the timefr

Bug#657853: Building perl with hardened build flags

On Tue, 21 Feb 2012 22:37:48 +, Dominic Hargreaves wrote: > Given the messages I've quoted above, deferring debhelper changes until > v10 makes most sense. This means we can file bugs on the release goal > packages to use the invocations manually in the meantime, as well as > a wishlist bug on

Bug#657853: Building perl with hardened build flags

Trying to pull a few of the subthreads together: On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote: > On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote: > > That's a good point about the timeframe. So there's no real hurry with > > the proposed debhelper changes in option

Bug#657853: Building perl with hardened build flags

On Tue, Feb 21, 2012 at 01:38:07PM +0200, Niko Tyni wrote: > On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote: > > (cc's trimmed for the implementation details) > > > If we have consensus on that, the way forward as I see it: > > Dominic, I'm not sure if you're fine with that plan? Ye

Bug#657853: Building perl with hardened build flags

On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote: (cc's trimmed for the implementation details) > If we have consensus on that, the way forward as I see it: Dominic, I'm not sure if you're fine with that plan? > - prepare a perl upload in unstable that is built with the hardened flags

Bug#657853: Building perl with hardened build flags

On Sun, Feb 12, 2012 at 09:24:40PM +0100, Moritz Mühlenhoff wrote: > On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote: > > > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote: > > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to > > > >ExtUtils::MakeMake

Bug#657853: Building perl with hardened build flags

gregor herrmann wrote: > Assuming they are all uploaded and all arch:any (and only looking at > packages in the Debian perl Group): > > % grep 9 */debian/compat | wc -l > 31 Well, it seems easy enough to test 30 packages. It would help if someone developed a patch before there are too many more.

Bug#657853: Building perl with hardened build flags

On Sun, 12 Feb 2012 17:12:31 -0400, Joey Hess wrote: > > > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to > > > > >ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command > > > > > line > > > > >invocations (it currently passes only CFLAGS, starting with c

Bug#657853: Building perl with hardened build flags

Moritz Mühlenhoff wrote: > > > > A. make debhelper pass all of CFLAGS, CPPFLAGS, and LDFLAGS down to > > > >ExtUtils::MakeMaker and ExtUtils::CBuilder via suitable command line > > > >invocations (it currently passes only CFLAGS, starting with compat > > > >level 9) > > I would prefer

Bug#657853: Building perl with hardened build flags

On Sun, Feb 12, 2012 at 06:52:18PM +, Dominic Hargreaves wrote: > > That's a good point about the timeframe. So there's no real hurry with > > the proposed debhelper changes in option A, they can be done after wheezy. > > Except perhaps for the modules which are specifically included in > the

Bug#657853: Building perl with hardened build flags

On Sat, Feb 11, 2012 at 01:51:19PM +, Dominic Hargreaves wrote: > > > - 13 packages newly FTBFS with the perl from experimental installed > > > - of those, 12 are -Werror=format-security issues > > > > > It would be nice to fix all the packages first, but it's probably not > > > a sensible ap

Bug#657853: Building perl with hardened build flags

[Adding Joey Hess to CC] On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote: > [Thanks for taking this to the list; should've done that myself. > Just a couple of quick comments for now.] > > On Sat, Feb 11, 2012 at 01:51:19PM +, Dominic Hargreaves wrote: > > On Fri, Feb 10, 2012 at 1

Bug#657853: Building perl with hardened build flags

On Sun, Feb 12, 2012 at 02:54:59PM +0200, Niko Tyni wrote: > [Thanks for taking this to the list; should've done that myself. > Just a couple of quick comments for now.] > > On Sat, Feb 11, 2012 at 01:51:19PM +, Dominic Hargreaves wrote: > > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni

Bug#657853: Building perl with hardened build flags

[Thanks for taking this to the list; should've done that myself. Just a couple of quick comments for now.] On Sat, Feb 11, 2012 at 01:51:19PM +, Dominic Hargreaves wrote: > On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote: > > On Thu, Feb 09, 2012 at 08:44:25PM +, Dominic Hargrea

Bug#657853: Building perl with hardened build flags

[Adding debian-perl, since the decisions we take might have a wide impact]. On Fri, Feb 10, 2012 at 11:29:09PM +0200, Niko Tyni wrote: > On Thu, Feb 09, 2012 at 08:44:25PM +, Dominic Hargreaves wrote: > Going back to square one, I see three options for pushing > the hardening flags to the XS

Bug#657853: Building perl with hardened build flags

On Thu, Feb 09, 2012 at 08:44:25PM +, Dominic Hargreaves wrote: > On Wed, Feb 08, 2012 at 09:46:22AM +0200, Niko Tyni wrote: > > I suspect we need to patch ExtUtils::CBuilder to invoke dpkg-buildflags > > at XS module build time rather than blindly use $Config{ccflags} from > > perl. That way

Bug#657853: Building perl with hardened build flags

On Wed, Feb 08, 2012 at 06:58:53PM +0100, Moritz Mühlenhoff wrote: > On Tue, Feb 07, 2012 at 10:13:58PM +, Dominic Hargreaves wrote: > > > > Moritz, could you comment on your preferred way of dealing with > > communicating/fixing this problem for packages which inherit build > > flags from per

Bug#657853: Building perl with hardened build flags

On Wed, Feb 08, 2012 at 09:46:22AM +0200, Niko Tyni wrote: > On Tue, Feb 07, 2012 at 10:13:58PM +, Dominic Hargreaves wrote: > > On Tue, Feb 07, 2012 at 08:48:12PM +, Dominic Hargreaves wrote: > > > I've just kicked off a test rebuild of all CPAN > > > modules in Debian with the perl from

Bug#657853: Building perl with hardened build flags

On Tue, Feb 07, 2012 at 10:13:58PM +, Dominic Hargreaves wrote: > > Moritz, could you comment on your preferred way of dealing with > communicating/fixing this problem for packages which inherit build > flags from perl? I'll post a complete list of affected packages to > debian-perl once the r

Bug#657853: Building perl with hardened build flags

On Tue, Feb 07, 2012 at 10:13:58PM +, Dominic Hargreaves wrote: > On Tue, Feb 07, 2012 at 08:48:12PM +, Dominic Hargreaves wrote: > > I've just kicked off a test rebuild of all CPAN > > modules in Debian with the perl from experimental, to try and catch any > > severe breakage introduced b

Bug#657853: Building perl with hardened build flags

On Tue, Feb 07, 2012 at 08:48:12PM +, Dominic Hargreaves wrote: > I've just kicked off a test rebuild of all CPAN > modules in Debian with the perl from experimental, to try and catch any > severe breakage introduced by this. Early indications from my rebuilds indicate that we will have some

Bug#657853: Building perl with hardened build flags

Hello, As discussed in we are adding various hardening build flags to the perl build in Debian, as part of a Debian release goal[1]. The version currently in Debian experimental has the following additional flags defined: ccflags: add -D_FORTIFY_SOURCE=2 -g -O2 -