Your message dated Mon, 18 Oct 2021 16:36:55 +0200
with message-id <[email protected]>
and subject line CPPFLAGS will not be supported by upstream
has caused the Debian Bug report #653916,
regarding cmake does not support CPPFLAGS environment variable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
653916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653916
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: korundum
Version: 4:4.7.4-1
Severity: important
Tags: patch
Dear Maintainer,
The CPPFLAGS hardening flags are missing because CMake ignores
them by default.
The following patch fixes the issue by adding them to
CFLAGS/CXXFLAGS. For more hardening information please have a
look at [1], [2] and [3].
diff -Nru korundum-4.7.4/debian/rules korundum-4.7.4/debian/rules
--- korundum-4.7.4/debian/rules 2012-04-02 20:14:12.000000000 +0200
+++ korundum-4.7.4/debian/rules 2012-04-07 18:15:10.000000000 +0200
@@ -1,5 +1,10 @@
#! /usr/bin/make -f
+# CMake doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to enable the
+# missing (hardening) flags.
+export DEB_CFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+export DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS)
+
#Always use Ruby 1.8.x
RUBY_SITEARCH := $(shell ruby1.8 -rrbconfig -e 'puts
Config::CONFIG["sitearch"]')
CMAKE_FLAGS := \
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (hardening-check doesn't catch everything).
$ hardening-check /usr/bin/krubyapplication
/usr/lib/kde4/krubypluginfactory.so ...
/usr/bin/krubyapplication:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib/kde4/krubypluginfactory.so:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: no, not found!
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
...
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Control: tag -1 + wontfix
Upstream has stated that CPPFLAGS will not be supported because of
its ill-defined use with different compilers for different languages:
https://gitlab.kitware.com/cmake/cmake/-/issues/20631#note_757166
Cheers
Timo
--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature
--- End Message ---
