Bug#761129: Please enable hardened build flags

Wed, 10 Sep 2014 14:57:34 -0700 

Package: ldapvi
Version: 1.7-9
Severity: important
Tags: patch
User: hardening-disc...@lists.alioth.debian.org
Usertags: goal-hardening

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hello,

Please enable hardened build flags with dpkg-buildflags (patch
attached). dpkg-buildflags handle "noopt" from DEB_BUILD_OPTIONS.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUEMjIAAoJEJmGUYuaqqClMQsP/0FpUBQ9i8mUnuCEj7ahucsc
+CY+8g9OseRjGZd5fIroePSbJOsGTsxIzz/ZsWNPqrN5xl7pLjZCGXV5t/8WBnWS
Yq+o00gdIbWgP7sr1kJ/J0DJLieOyL8gGtwl7pO7KYov3bCq6AToRNE9KB6ubFBz
Geg3uD0sHrzAcjRkq0trDowa4xIzZ8+3Sk0+/UTqgIkXykX8W6/GzSUbzrQlWOUN
VQY4x5jd/mxUCCaQPvCdBkBmMvvB8Nhlp5TwZSGQ83jRM+mDxLEtZ0TPtniDHMtE
1o17PtsvLqOW3/1fnKq4/B7W3xgLnJ4yGKwCl/EfHOUDz2uF8KRbdJ6KPjK70BHB
wWghZtnSy6qjXFwTgBNIH1xHWxZ0HqY7Rlrki1R+c1kCqFW2PaaW9514hpbOdW/+
ntMmuKtcybDEonah9aAyRxpMuZoWw+49KOF6rChbgSTXKRvWwWkabR0X+/xcevAS
Vc9n4+F/Dt5aqu3xImIXwgwqzeSWVhenY6DpTF29o+cxh+pR53GQc5ZUGp1lanhE
hqhMR8ruRbzjZNG5yEvv1z62IRwa8PUKp1VrAizUOfVkFmyiBAYFetmtH1zFSiAa
VygyfzraeKxnNA5xyKhILLfgHcIHGmRAgcGcA14PqcYhV7QLAqSAlUMBREV4d9U/
93y8L0e1B3NkqBvvIkk8
=qjhd
-----END PGP SIGNATURE-----

diff -u ldapvi-1.7/debian/changelog ldapvi-1.7/debian/changelog
--- ldapvi-1.7/debian/changelog
+++ ldapvi-1.7/debian/changelog
@@ -1,3 +1,11 @@
+ldapvi (1.7-9.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use dpkg-buildflags and pass *FLAGS to configure
+  * Remove compilation generated files (config.status, GNUmakefile, config.h)
+
+ -- Guillaume Delacour <g...@iroqwa.org>  Wed, 10 Sep 2014 23:40:05 +0200
+
 ldapvi (1.7-9) unstable; urgency=low
 
   * Use fileencoding instead of encoding in vim modeline which makes recent
diff -u ldapvi-1.7/debian/rules ldapvi-1.7/debian/rules
--- ldapvi-1.7/debian/rules
+++ ldapvi-1.7/debian/rules
@@ -11,17 +11,15 @@
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
-CFLAGS = -Wall -g
+CFLAGS=$(shell dpkg-buildflags --get CFLAGS)
+CFLAGS += -Wall
+CPPFLAGS=$(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS)
 INSTALL = install
 INSTALL_FILE    = $(INSTALL) -p    -oroot -groot -m644
 INSTALL_PROGRAM = $(INSTALL) -p    -oroot -groot -m755
 INSTALL_SCRIPT  = $(INSTALL) -p    -oroot -groot -m755
 INSTALL_DIR     = $(INSTALL) -p -d -oroot -groot -m755
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
-	CFLAGS += -O0
-else
-	CFLAGS += -O2
-endif
 ifeq (,$(filter nostrip,$(DEB_BUILD_OPTIONS)))
 	INSTALL_PROGRAM += -s
 	STRIP = true
@@ -47,12 +45,14 @@
 	cp -a configure configure.save
 	[ ! -f Makefile ] || $(MAKE) distclean
 	mv configure.save configure
+	# Remove compilation generated files
+	rm -f config.status GNUmakefile config.h
 
 
 build: build-stamp
 build-stamp: patch-stamp
 	$(checkdir)
-	CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-libcrypto=none
+	CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-libcrypto=none
 	$(MAKE)
 	cd manual && $(MAKE) manual.html
 	touch build-stamp

Reply via email to