Package: dpkg-dev
Version: 1.21.7
Severity: normal
Please add "-ftrivial-auto-var-init=zero" for GCC 12 (which is the first
release of GCC to provide this flag).
It goes well with the other important security flaw mitigation flags
already enabled in Debian:
commit log.
What is going on here?
-Kees
[1] https://lore.kernel.org/lkml/202105280915.9117D7C@keescook/
--
Kees Cook
Hi Ben,
On Mon, Jun 22, 2020 at 01:53:09PM +0100, Ben Hutchings wrote:
> On Sat, 2020-06-20 at 16:38 -0700, Kees Cook wrote:
> > Package: wnpp
> > Severity: wishlist
> > Owner: Kees Cook
> >
> > * Package name: prince-of-persia
> > Version :
Package: wnpp
Severity: wishlist
Owner: Kees Cook
* Package name: prince-of-persia
Version : 1.20
Upstream Author : Dávid Nagy
* URL : https://github.com/NagyD/SDLPoP
* License : GPL-3+
Programming Lang: C
Description : SDL port of the classic Prince
Package: debmirror
Version: 1:2.33
Followup-For: Bug #961197
I think this patch will fix the problem...
--- debmirror~ 2020-05-25 22:33:49.328041109 -0700
+++ debmirror 2020-05-25 22:32:12.255722606 -0700
@@ -2326,6 +2326,8 @@
push (@errlog,$@);
$num_errors++;
}
+
Package: debmirror
Version: 1:2.33
Followup-For: Bug #625696
This needs fixing for security.debian.org. Right now I'm forced to use
"--rsync-extra none" which seems sub-optimal. :)
epends on
CONFIG_SECCOMP_FILTER.
--
Kees Cook@debian.org
On Sat, Mar 14, 2020 at 06:56:30PM +, Scott Kitterman wrote:
>
>
> On March 14, 2020 12:14:48 PM UTC, Guillem Jover wrote:
> >Hi!
> >
> >On Fri, 2020-03-06 at 20:43:05 -0800, Kees Cook wrote:
> >> Package: ftp.debian.org
> >> Severity: normal
&g
Package: ftp.debian.org
Severity: normal
Thanks!
Package: ftp.debian.org
Severity: normal
Thanks!
Package: ftp.debian.org
Severity: normal
Please remove jirc. :)
Thanks!
Package: scantool
Version: 1.21+dfsg-7
Severity: normal
Tags: patch
Instead of masking the ttyUSB* behind the dzcomm "COM*" names, add
support for native Linux serial port handling. This patch appears
to be from Ubuntu Forums user "jlac":
tag 907268 patch
thanks
The attached patch fixes LIRC for me...
--
Kees Cook@debian.org
diff -Nru xine-ui-0.99.9/debian/changelog xine-ui-0.99.9/debian/changelog
--- xine-ui-0.99.9/debian/changelog 2017-01-21 19:12:02.0 -0800
+++ xine-ui
Package: devscripts
Version: 2.17.12ubuntu1
Severity: normal
File: /usr/bin/hardening-check
Tags: patch
Dear Maintainer,
When hardening-check runs "readelf", it's possible that a large stderr
will fill the internal pipe before readelf exits, blocking the process
forever. This can happen with
antics for PROT_EXEC on subprofiles.
> A diff between the profile in the 16.01 Ubuntu package and current HEAD (for
> 16.09) is attached, could you try out that one instead?
I've tried the diff but the problem remains: I still need "m" on the su in the
su
subprofile.
Thanks!
Fix attached...
--
Kees Cook@debian.org
diff -Nru ejabberd-16.09/debian/changelog ejabberd-16.09/debian/changelog
--- ejabberd-16.09/debian/changelog 2017-02-05 04:19:29.0 -0800
+++ ejabberd-16.09/debian/changelog 2017-04-22 07:24
Package: ejabberd
Version: 16.01-2
Severity: normal
Hello!
It looks like the apparmor profile for ejabberdctl's exec of "su" is
missing the "m" permission for the binary, which causes it to fail
when run as root:
# ejabberdctl status
/usr/sbin/ejabberdctl: line 428: 21780 Segmentation fault
> know what happened with that. That said, I do not feel the tool fits
> into lintian - at least not with lintian current design.
devscripts seems fine to me if lintian doesn't want it. :)
-Kees
--
Kees Cook@debian.org
t as deprecated for quite a while now.
>
> Kees, what do you think?
Yeah, it (and hardening-includes) should get removed in favor of
the dpkg-buildflags method. However, this means we need to move the
"hardening-check" script from hardening-includes to lintian,
This is a kernel bug, not a dosemu bug. Please see:
https://lkml.org/lkml/2015/8/13/435
--
Kees Cook@debian.org
-dev files in /usr/lib)?
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
), and environment-ignoring: it just calls gcc directly --
is that how autopkgtests should be doing builds?
Thanks!
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
=10544
This was fixed in Gnome upstream and in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/714958
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/724285
The attached patch likely needs the dbus names changed to, e.g.,
org.mate.ScreenSaver.
Thanks!
-Kees
--
Kees Cook
at least 3.16, I think it would be a
good change to backport.
2) Has it been submitted upstream?
I have not, no.
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe
--
Kees Cook@debian.org
Index: cyrus-sasl2-2.1.26.dfsg1/saslauthd/ipc_unix.c
===
--- cyrus-sasl2-2.1.26.dfsg1.orig/saslauthd/ipc_unix.c 2012-01-27 15:31:36.0 -0800
+++ cyrus-sasl2
Here's an updated patch with proper headers. :)
Also, for background on the solution, see:
http://blog.netherlabs.nl/articles/2009/01/18/the-ultimate-so_linger-page-or-why-is-my-tcp-not-reliable
--
Kees Cook@debian.org
Description: it is possible
'}) ||
You mentioned __intel_security_check_cookie as well. I assume this is
the canary? How is it chosen, what is its value?
(!$elf defined($functions-{'__stack_chk_fail_local'}))) {
good($name, yes)
}
Regards,
Alex
Thanks!
-Kees
--
Kees Cook
depends on:
ii libc6 2.19-0ubuntu6.3
cpio recommends no packages.
Versions of packages cpio suggests:
ii libarchive1 2.8.5-5
-- no debconf information
Description: Identify how to perform fast erase operations on devices that
support it.
Author: Kees Cook k...@debian.org
Index: cpio-2.11+dfsg
Yay! I was able to convince upstream to do a micro release, so now the
delta is tiny. I've attached the new debdiff, which shows just the cert
chain and algo updates, with user agent reporting for their end. Much much
better.
-Kees
--
Kees Cook
Upload approved in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750699
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Package: faketime
Version: 0.9.5-2
Severity: normal
The faketime tool does not pass the error code of the child process:
$ /bin/false
$ echo $?
1
$ faketime +1 day /bin/false
$ echo $?
0
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500,
Potential patch ...
--
Kees Cook@debian.org
Description: pass through exit codes when possible, otherwise report
failure and full waitpid status and exit with a failure.
Author: Kees Cook k...@debian.org
Index: faketime-0.9.5/src/faketime.c
how good Damyan's
work usually is). My goal here is to help the perl maintainers deal
with the transition to 5.20. What do you think?
Yeah, that patch looks fine. Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist
?
That'd be great, yes.
Of course, it would be preferable to upload 2.8.3 instead, and fix
these bugs at the same time :)
I've seen some reports that 2.8.3 has issues with the apache2 module. I
haven't had time to set it up and test, though.
-Kees
--
Kees Cook
Severity: serious
This breaks SMTP TLS connections to debian.org when the client presents
a sha512 cert:
^ grep confSERVER_CERT /etc/mail/sendmail.mc
define(`confSERVER_CERT',`/etc/ssl/certs/smtp-cert.pem')dnl
$ openssl x509 -text -noout -in /etc/ssl/certs/smtp-cert.pem | grep 'Signature
. :)
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
of the situation where someone has 5000
apache virtual host profiles and they update cups. We never want to wait
for those 5000 to be reloaded when cups's profile is installed. Hence,
dh_apparmor.
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
On Thu, Jan 16, 2014 at 02:59:54PM -0800, John Johansen wrote:
On 01/16/2014 02:57 PM, John Johansen wrote:
On 01/16/2014 02:49 PM, Kees Cook wrote:
On Thu, Jan 16, 2014 at 07:37:04PM +0100, Didier 'OdyX' Raboud wrote:
Le jeudi, 16 janvier 2014 10.14:14, vous avez écrit :
On Thu, Jan 16
.
Thanks for finding this!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
I'm not sure what's happening here. Running without an AAHatName should
result in a hat name of DEFAULT_URI. Try setting AAHatName in your
top-level apache configuration?
This likely needs to be reported upstream.
--
Kees Cook@debian.org
still can't reproduce this i386
build problem. I'm uploading again now, and will see what the buildds
produce...
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe
there is a
demonstrated requirement to do it. Given that this is a security-sensitive
library, I want to actively discourage any kind of static linking.
(This policy has already uncovered bugs in things like qemu.)
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email
On Mon, Oct 07, 2013 at 01:08:44AM +0200, Bastian Blank wrote:
On Sun, Oct 06, 2013 at 03:47:10PM -0700, Kees Cook wrote:
I don't want to ship a static library for libseccomp unless there is a
demonstrated requirement to do it.
I'm thinking about using it in cdebootstrap, which needs
I'm open to suggestions on how to accomplish this. Unfortunately, I don't
know of a reliable way for the optimization level of an ELF to be
discovered.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
daemons on localhost and my primary
interface. With the addition of IPv6, this pushes me to 12 combinations
of listeners.
I suggest raising this seemingly arbitrary limit to much larger. Please see
attached patch.
Thanks!
-Kees
--
Kees Cook@debian.org
owners don't want it
enabled, they can choose to turn it off in /etc/sysctl.d/, just like other
things.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
where this might come
up (some init implementation being written static and wanting libseccomp),
so when that shows up, we can close this bug then. In the meantime, I'll
keep resisting. :)
Thanks, also for finding a bug in qemu! :)
Sure thing! :)
-Kees
--
Kees Cook
that it's a bug,
but since it's not the case, I'm not sure why you closed it.
At the moment, libseccomp is closely tied to building only on architectures
that support seccomp. As those architectures are added, I'll be adding more
archs to the buildable list.
-Kees
--
Kees Cook
seccomp mode 2 (which is what libseccomp works with) is only supported on
x86. ARM support will be added in kernel version 3.8.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject
I would strongly prefer to avoid shipping a static library for this package
to avoid programs linking to this non-dynamically, especially since it
makes security updates more difficult to track. Do you have a compelling
need for this?
-Kees
--
Kees Cook
(yay batch files), and the
amount of work to get it building from source is huge. Te DOSEMU folks
already did this work, and since the source is not changing, there is no
reason to do rebuilds.
I'll add a note to the copyright file.
-Kees
--
Kees Cook
,
-Kees
--
Kees Cook@debian.org
Description: setting backoff-cutoff 0; in dhclient.conf will cause
dhclient to divide by zero and crash. It should be handled more
gracefully.
Author: Kees Cook k...@ubuntu.com
Index: isc-dhcp-4.2.4/client/dhclient.c
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: freeze-exception
Please unblock package libseccomp
libseccomp just released their 1.0.0 version which has ABI changes over the
earlier 0.1.0 release. This is a new library and no packages in
+with apparmor on during purge.
+ * debian/patches/fix-network-rule-support.patch: handle lack of
+networking features correctly (Closes: 679597).
+
+ -- Kees Cook k...@debian.org Mon, 16 Jul 2012 11:52:42 -0700
+
apparmor (2.7.103-3) unstable; urgency=low
* debian/control: drop
Argh, the body should say Version 2.7.103-4 contains fixes for ...
^
EMOARCOFFEE
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject
the system init starts.
Thanks,
-Kees
--
Kees Cook@debian.org
diff -Nru initramfs-tools-0.106/debian/changelog
initramfs-tools-0.107~0kees1/debian/changelog
--- initramfs-tools-0.106/debian/changelog 2012-06-07 05:40:53.0
-0700
+++ initramfs
for catching that!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
-not-mediate-kernel-bas.patch
My preference would be to apply the networking patch, along with 0003
and 0004 posted here.
-Kees
--
Kees Cook
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Hi Dererk,
On Fri, Jun 22, 2012 at 01:49:32PM -0300, Dererk wrote:
What do you think about switching if type aa-status for a if [ -x
/usr/sbin/aa-status ] instead?
Yeah, this seems like the best solution. I'll get this fixed. Thanks!
-Kees
--
Kees Cook
Does this happen with the recent upload with the r2080 snapshot?
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Package: wnpp
Severity: wishlist
Owner: Kees Cook k...@debian.org
* Package name: libseccomp
Version : 0.1.0
Upstream Author : Paul Moore pmo...@redhat.com
* URL : https://sourceforge.net/projects/libseccomp/
* License : LGPLv2
Programming Lang: C
Hi Ben,
On Tue, Jun 05, 2012 at 08:43:21PM +0100, Ben Hutchings wrote:
On Tue, 2012-06-05 at 11:07 -0700, Kees Cook wrote:
Package: wnpp
Severity: wishlist
Owner: Kees Cook k...@debian.org
* Package name: libseccomp
Version : 0.1.0
Upstream Author : Paul Moore pmo
it usable.
Does changing both work as well? It seems like sending RESET_CLOSE_DIALOG
isn't right either, based on the state machine that sets
RESET_HANDLE_CLONE.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ
an heuristic, since it is possible to only use the
functions in ways that are compile-time verifiable, resulting in no need
for the protected wrapper.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
Thanks for the testing and details. I've got the needed changes staged
in experimental now.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas
on more critical targets.
There's not reason to drop the binary package. Once apache2.4 is in
unstable, we can just update the pieces. In the meantime, I can prepare
an upload in experimental.
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email
.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
to figure out how
much noise these checks will add?
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
and description:
- overrides (we can't do much about FP etc.)
What is needed for this? Should I expand the descriptions more? Or was
there something else?
Thanks!
-Kees
--
Kees Cook@debian.org
From 44917dcc8af48043cb22b104398cfc494b74fbf6 Mon Sep 17 00:00:00
script version of this script is
# Copyright (C) 1998 Christian Schwarz
#
# The objdump version, including support for etch's binutils, is
# Copyright (C) 2008 Adam D. Barratt
#
# This version, a trimmed-down wrapper for hardening-check, is
# Copyright (C) 2012 Kees Cook k...@debian.org
)
Read-only relocations: yes
Immediate binding: no not found!
It looks like the LDFLAGS are not being passed to the build.
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject
running ldd, and I only needed ldd to generate the function list dynamically.
If it's static, things are faster and more portable. It'll just need updating
from time to time when anything major happens with eglibc.
-Kees
--
Kees Cook@debian.org
Hello,
The attached patches are needed in libcaca and toilet to fix
rendering width when specifying the -w option in toilet. For
users of figfont that do not set up a terminal width in their
canvas first, I've left the old default of 80 characters.
Thanks,
-Kees
--
Kees Cook
On Tue, Mar 06, 2012 at 06:36:07PM +0100, Niels Thykier wrote:
On 2012-03-06 01:58, Kees Cook wrote:
Right -- though I have no way around this. All the pieces needed for
these checks come from the new dpkg-buildflags. Perhaps the hardening
check can be disabled for the backport, since it's
Hi Russ,
On Tue, Mar 06, 2012 at 10:08:31AM -0800, Russ Allbery wrote:
Kees Cook k...@debian.org writes:
This was the big problem. I spent a lot of time trying to see how bad it
would be to fix every build in the testsuite to DTRT with respect to
dpkg-buildflags, but it was a losing
On Tue, Mar 06, 2012 at 11:36:42AM -0800, Russ Allbery wrote:
Kees Cook k...@debian.org writes:
Okay. In that case, I think the work needs to be broken into several pieces:
- make lintian work for wheezy (but disable internal tests for hardening)
A better way than disabling it might
On Mon, Mar 05, 2012 at 11:29:46AM +0100, Niels Thykier wrote:
On 2012-03-05 04:47, Kees Cook wrote:
- It requires the lastest dpkg-dev (still in experimental) to get
the dpkg-buildflags that supports --query-features.
Unfortunately I see two issues here. First, we have been asked
file on the fly for a test.
Doing manual testing shows that building, for example, the hello
package as-is triggers appropriate warnings, and when I fix the hello
package to import the dpkg-buildflags correctly, the lintian warnings
go away. :)
-Kees
--
Kees Cook
This may cause trouble with the .so's -fPIC bits, so you can probably leave the
entire
line off, unless you want to enable bindnow:
export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow
I'm adding Kees Cook to CC. Kees, did you see similar issues with C++
on Ubuntu when g++ was patched to use
On Wed, Jan 11, 2012 at 03:12:39PM -0700, Bdale Garbee wrote:
On Sun, 11 Sep 2011 11:14:39 -0700, Kees Cook k...@debian.org wrote:
Package: sudo
Version: 1.7.4p6-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu oneiric ubuntu-patch
in the Debian kernel would be nice, but I'd like to see this all
solved correctly.
In the meantime, the tool emit the warning.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject
), including dh_apparmor
in it, and then ask on -devel who is looking for a home for orphan dh_*
scripts.
If there's no other scripts, I could just toss it into the apparmor package
too. Gergely, let me know how you'd like me to handle it. I'm fine with
whatever location.
Thanks,
-Kees
--
Kees Cook
Hi Guillem,
On Sun, Dec 18, 2011 at 09:42:50AM +0100, Guillem Jover wrote:
On Fri, 2011-12-16 at 16:39:25 -0800, Kees Cook wrote:
Fresh patch attached! :)
Thanks! Could you split the refactoring/cleaning into its own patch
(actually something that already crossed my mind when first seeing
On Thu, Dec 29, 2011 at 04:14:47AM +0100, Guillem Jover wrote:
On Wed, 2011-12-28 at 15:28:45 -0800, Kees Cook wrote:
On Sun, Dec 18, 2011 at 09:42:50AM +0100, Guillem Jover wrote:
On Fri, 2011-12-16 at 16:39:25 -0800, Kees Cook wrote:
Fresh patch attached! :)
Thanks! Could you
is considered stable and exportable, I have
no problem with this. If debhelper will change its ABI in the future,
then this separate package is going to be a pain to maintain.
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ
Package: libcap2
Version: 1:2.22-1
Severity: normal
Tags: patch
Hi!
In support of the Multi-Arch release goal, here is a patch that builds
libcap2 to be Multi-Arch installable, which includes splitting the PAM
module into a separate package.
Thanks!
-Kees
--
Kees Cook
Package: libgphoto2
Version: 2.4.11-3.1
Severity: normal
Tags: patch
Hello!
In an effort to reach the Multi-Arch release goal, here is a patch to
build libgphoto2 for Multi-Arch, along with a few other subtle fixes. :)
Thanks!
-Kees
--
Kees Cook
Package: libgd2
Version: 2.0.36~rc1~dfsg-6
Severity: normal
Tags: patch
Hi!
The attached patch provides the changes needed to build with Multi-Arch
support, and removes the shipped .la files completely. Both are in support
of their respective release goals.
Thanks,
-Kees
--
Kees Cook
On Fri, Dec 16, 2011 at 09:25:10AM +0100, Raphael Hertzog wrote:
On Thu, 15 Dec 2011, Kees Cook wrote:
While doing this, it seemed that creating a full set_feature() callback
was more work than it needed to be. I can certainly add it, but I thought
I'd show you where I am now first. If you
the
Pre-Depends, but yes, everything else was in the wiped-out control file. :)
Thanks!
-Kees
--
Kees Cook@debian.org
diff -Nru libproxy-0.3.1/debian/changelog libproxy-0.3.1/debian/changelog
--- libproxy-0.3.1/debian/changelog 2011-10-24 18:28
Hi Raphael,
On Fri, Dec 09, 2011 at 12:02:21PM +0100, Raphael Hertzog wrote:
On Thu, 08 Dec 2011, Kees Cook wrote:
This patch adds that ability, and lets the environment correctly adjust it:
$ dpkg-buildflags --features hardening
-bindnow,+format,+fortify,-pie,+relro,+stackprotector
understanding of
the logic in that script.
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
On Fri, Dec 09, 2011 at 09:27:18AM +0100, Alexander Reichle-Schmehl wrote:
Am 08.12.2011 23:40, schrieb Kees Cook:
Backporting concerns and output stability:
==
Both the FTP-masters and Lintian.d.o needs everything in stable (or
stable-backports
On Fri, Dec 09, 2011 at 02:27:25PM -0400, Joey Hess wrote:
Kees Cook wrote:
Uhm, it wasn't something that made sense to forward to Debian until now,
since it would have had nearly zero value without the apparmor package
existing in Debian.
In other words, Ubuntu got a feature in 2007
perspective
in run time.
To get this, is the use of dpkg-architecture best way or simpler way.
I would use DEB_HOST_MULTIARCH during the build to hardcode it into
the program, which is what is already done for things like ibus-daemon
via the build system.
--
Kees Cook
Hi,
This is an updated Multi-arch path with additional changes to the rules
file.
Thanks,
-Kees
--
Kees Cook@debian.org
diff -u libao-1.1.0/debian/compat libao-1.1.0/debian/compat
--- libao-1.1.0/debian/compat
+++ libao-1.1.0/debian/compat
@@ -1 +1
Package: isdnutils
Version: 1:3.9.20060704+dfsg.2-12
Severity: normal
Tags: patch
Hello!
This patch provides Multi-Arch support, and removes the unused .la files.
Both are to further the respective release goals.
Thanks,
-Kees
--
Kees Cook
On Sat, Dec 03, 2011 at 11:20:05AM +0100, Niels Thykier wrote:
On 2011-12-02 01:33, Kees Cook wrote:
1) With these build tests added, all the other internal lintian tests
need to either:
a) add the new warnings to their tags file, or
b) have all their builds adjusted
to update hardening-check to use readelf instead[2]?
Yeah, I can do this manually instead of invoking ldd(1). From the
perspective of doing build checks, it seems like a non-issue, but better to
just fix it anyway. I'll update hardening-check.
--
Kees Cook
1 - 100 of 538 matches
Mail list logo