Bug#657523: Please enabled hardened build flags
Simon Ruderich
simon at ruderich.org
Sun May 27 12:52:59 UTC 2012
On Sun, May 27, 2012 at 11:56:24AM +0100, Alasdair G Kergon wrote:
> On Sun, May 27, 2012 at 02:42:14AM +0200, Simon Ruderich wrote:
>> - CLDFLAGS="$CLDFLAGS -Wl,--version-script,.export.sym"
>> + CLDFLAGS="$LDFLAGS $CLDFLAGS -Wl,--version-script,.export.sym"
>
> What are typical contents of the LDFLAGS environment variable in Debian?
This command prints the (current) value of LDFLAGS (on a current
sid/wheezy):
dpkg-buildflags --get LDFLAGS
But $LDFLAGS already contains the correct value (and it shouldn't
be hardcoded in debian/rules).
> - Which cmdline parameters are getting lost?
All flags from LDFLAGS.
> - Which lines are 'losing' the enviroment LDFLAGS but actually need it?
The lines I pasted in my original patch. The LDFLAGS are missing
when building those libraries (use hardening-check to detect the
missing flags).
>> +AC_SUBST(LDFLAGS)
>
> Existing inconsistency/bug?
> - make.tmpl.in has LDFLAGS += @LDFLAGS@
Yes, but it's not exported from ./configure without my change.
But I think the following (complete) patch is better than my
original one, it fixes LDFLAGS but passes CLDFLAGS via
debian/rules - thus removing the inconsistency:
diff -Nru lvm2-2.02.95/debian/rules lvm2-2.02.95/debian/rules
--- lvm2-2.02.95/debian/rules 2012-05-03 12:19:33.000000000 +0200
+++ lvm2-2.02.95/debian/rules 2012-05-27 14:45:24.000000000 +0200
@@ -71,7 +71,7 @@
rm -rf $(DIR)
cp -a '$(SOURCE_DIR)' '$(DIR)'
cd $(DIR); \
- ./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+ ./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" CLDFLAGS="$(LDFLAGS)" \
$(CONFIGURE_FLAGS) \
--libdir=\$${exec_prefix}/lib/$(DEB_HOST_MULTIARCH) \
--with-optimisation="$(CFLAGS_OPT_DEB)" \
@@ -95,7 +95,7 @@
rm -rf $(DIR)
cp -a '$(SOURCE_DIR)' '$(DIR)'
cd $(DIR); \
- ./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
+ ./configure CFLAGS="$(CPPFLAGS) $(CFLAGS)" LDFLAGS="$(LDFLAGS)" CLDFLAGS="$(LDFLAGS)" \
$(CONFIGURE_FLAGS) \
--with-optimisation="$(CFLAGS_OPT_UDEB)" \
--with-cluster=none \
--- lvm2-2.02.95.orig/configure.in
+++ lvm2-2.02.95/configure.in
@@ -1333,6 +1333,7 @@ AC_SUBST(BUILD_DMEVENTD)
AC_SUBST(BUILD_LVMETAD)
AC_SUBST(CFLAGS)
AC_SUBST(CFLOW_CMD)
+AC_SUBST(LDFLAGS)
AC_SUBST(CLDFLAGS)
AC_SUBST(CLDNOWHOLEARCHIVE)
AC_SUBST(CLDWHOLEARCHIVE)
Regards,
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-lvm-maintainers/attachments/20120527/047d10ed/attachment.pgp>
More information about the pkg-lvm-maintainers
mailing list