[Build-common-hackers] Bug#651964: Bug#651964: Bug#651964: cdbs: class/langcore.mk doesn't set CPPFLAGS and LDFLAGS from dpkg-buildflags
dr at jones.dk
Wed Feb 1 00:05:39 UTC 2012
On 12-01-31 at 09:48pm, Moritz Muehlenhoff wrote:
> On Wed, Dec 14, 2011 at 01:16:40AM +0700, Jonas Smedegaard wrote:
> > tags 651964 wontfix
> > thanks
> > On 11-12-13 at 05:34pm, Simon Ruderich wrote:
> > > While trying to build poppler with hardening flags I noticed that
> > > CPPFLAGS and LDFLAGS were not set correctly. This is an important
> > > problem as it causes several hardening flags (fortify source,
> > > relro) to not get included in the build.
> > >
> > > Adding the following lines to class/langcore.mk.in in line 57
> > > where CFLAGS and CXXFLAGS are already set fixes the problem:
> > >
> > > CPPFLAGS += $(deb_cppflags)
> > > LDFLAGS += $(deb_ldflags)
> > Thanks for your bugreport.
> > I agree with you that some flags were set properly in the past.
> > Unfortunately some packages depend on the old broken behaviour, so
> > it can not be corrected now.
> Hi Jonas,
> I'm currently working my way through all packages, which have had a
> DSA in the last five years and/or which are of Priority >= important.
> I've nearly finished all packages based on debhelper and I now proceed
> with the packages based on cdbs.
> Please reconsider the wontfix: Out of the three *FLAGS emitted by
> dpkg-buildflags, CFLAGS is the only option, which causes build
> problems (almost exclusively due to missing format strings exposed by
> "-Wformat -Wformat-security -Werror=format-security")
> The two additional flags are harmless and won't cause any further
> build failures:
> CPPFLAGS=-D_FORTIFY_SOURCE=2 activates replaces insecure C library
> calls at build time, see here for details:
> LDFLAGS=-Wl,-z,relro activates a linker flag, see here for details:
> I've run test conversion for 200-250 packages and D_FORTIFY_SRC and
> relro didn't cause any problems (plus most distros have patched their
> toolchain, which enabes this by default).
> So, please activate these flags as suggested by Simon, otherwise this
> causes a lot of additional manual overhead. (Plus, your workaround
> doesn't work, see below).
[embarassing bug snipped]
Thanks for the investigations. I am convinced!
I'll simplify CDBS to always use new behaviour, and hope it causes no
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: Digital signature
More information about the Build-common-hackers