[Build-common-hackers] Bug#712729: Bug#712729: cdbs: langcore.mk: support dpkg-buildflags' DEB_CFLAGS_MAINT_APPEND and similar

Jonas Smedegaard dr at jones.dk
Sun Jan 19 19:50:14 UTC 2014

Quoting Simon Ruderich (2014-01-19 18:42:47)
> Raising severity because this causes missing hardening flags for 
> packages (e.g. shadow and therefore no PIE for setuid su) when the 
> maintainer uses the DEB_* (which includes DEB_BUILD_MAINT_OPTIONS) 
> approach documented in dpkg-buildflags to add additional flags.
> The attached patch should fix this issue by exporting all DEB_* flags 
> when calling dpkg-buildflags. The real issue is that GNU make's 
> $(shell ..) doesn't use the exported environment which is normally 
> used when calling subprocesses.
> There should be no backwards incompatible changes because the 
> maintainer must manually set the DEB_* variables. If none of those 
> variables are used, nothing happens.

Thanks a lot, both for the explanation and the patch.

I appen to have my head deep into cdbs these days, and will apply the 
patch right now - expected to be released later tonight or tomorrow.

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/build-common-hackers/attachments/20140119/5ad7a9f4/attachment-0001.sig>

More information about the Build-common-hackers mailing list