[Build-common-hackers] Bug#651964: Bug#651964: cdbs: class/langcore.mk doesn't set CPPFLAGS and LDFLAGS from dpkg-buildflags

Tue Jan 31 20:48:23 UTC 2012

On Wed, Dec 14, 2011 at 01:16:40AM +0700, Jonas Smedegaard wrote:
> tags 651964 wontfix
> thanks
> 
> On 11-12-13 at 05:34pm, Simon Ruderich wrote:
> > While trying to build poppler with hardening flags I noticed that 
> > CPPFLAGS and LDFLAGS were not set correctly. This is an important 
> > problem as it causes several hardening flags (fortify source, relro) 
> > to not get included in the build.
> > 
> > Adding the following lines to class/langcore.mk.in in line 57 where 
> > CFLAGS and CXXFLAGS are already set fixes the problem:
> > 
> >     CPPFLAGS += $(deb_cppflags)
> >     LDFLAGS += $(deb_ldflags)
> 
> 
> Thanks for your bugreport.
> 
> I agree with you that some flags were set properly in the past.  
> Unfortunately some packages depend on the old broken behaviour, so it 
> can not be corrected now.

Hi Jonas,
I'm currently working my way through all packages, which have had a DSA
in the last five years and/or which are of Priority >= important.
I've nearly finished all packages based on debhelper and I now proceed with
the packages based on cdbs.

Please reconsider the wontfix: Out of the three *FLAGS emitted by 
dpkg-buildflags, CFLAGS is the only option, which causes build
problems (almost exclusively due to missing format strings exposed
by "-Wformat -Wformat-security -Werror=format-security")

The two additional flags are harmless and won't cause any further
build failures:

CPPFLAGS=-D_FORTIFY_SOURCE=2 activates replaces insecure C library
calls at build time, see here for details:
http://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_FORTIFY_.28gcc.2BAC8-g.2B-.2B-_-D_FORTIFY_SOURCE.3D2.29

LDFLAGS=-Wl,-z,relro activates a linker flag, see here for details:
http://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_RELRO_.28ld_-z_relro.29

I've run test conversion for 200-250 packages and D_FORTIFY_SRC and
relro didn't cause any problems (plus most distros have patched their
toolchain, which enabes this by default).

So, please activate these flags as suggested by Simon, otherwise this
causes a lot of additional manual overhead. (Plus, your workaround doesn't
work, see below).

> You can add the following at the top of your rules file to make CDBS 
> handle compile flags more sensibly:
> 
> CDBS_FIX_COMPILE_FLAGS = 1

Doesn't work for me. In my tests it (e.g. with gdm3) it leads to 

/usr/share/cdbs/1/class/langcore.mk:65: *** Recursive variable `CFLAGS' references itself (eventually).  Stop.
dpkg-buildpackage: error: debian/rules build gave error exit status 2

Cheers,
        Moritz