Your message dated Sat, 14 Oct 2023 17:55:12 +0200
with message-id <[email protected]>
and subject line Re: Bug#950097: rauc: no hardening when building from git
repository
has caused the Debian Bug report #950097,
regarding rauc: no hardening when building from git repository
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
950097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950097
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rauc
Version: 1.2-1
Severity: minor
When building rauc 1.2-1 from the git repository cloned from salsa I
get:
$ dpkg-buildpackage -uc -us
...
$ lintian -EL '>=pedantic' ../rauc_1.2-1_amd64.changes
I: rauc: hardening-no-fortify-functions usr/bin/rauc
I: rauc-service: package-supports-alternative-init-but-no-init.d-script
lib/systemd/system/rauc.service
I: rauc-service: systemd-service-file-missing-install-key
lib/systemd/system/rauc.service
I: rauc source: testsuite-autopkgtest-missing
X: rauc source: upstream-metadata-file-is-missing
. When I do
mv .git ../rauc.git
before building I get however:
$ dpkg-buildpackage -uc -us
...
$ lintian -EL '>=pedantic' ../rauc_1.2-1_amd64.changes
I: rauc-service: package-supports-alternative-init-but-no-init.d-script
lib/systemd/system/rauc.service
I: rauc-service: systemd-service-file-missing-install-key
lib/systemd/system/rauc.service
I: rauc source: testsuite-autopkgtest-missing
X: rauc source: upstream-metadata-file-is-missing
So the hardening-no-fortify-functions problem only occurs in the presence of
the .git directory.
This is related to ./configure assuming that debugging should be enabled if a
.git directory exists which in turn adds -O0 to the command line (additionally
to the -O2 that is present for both cases).
According to
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_FORTIFY_.28gcc.2Fg.2B-.2B-_-D_FORTIFY_SOURCE.3D2.29
"for this feature to be fully enabled, the source must also be compiled with
-O1 or higher."
It is only little relevant for Debian as the packages are build from the
source package and there is no .git directory, but it is still ugly.
Maybe we should pass --disable-debugging to configure? Or convince
upstream that this assumption (.git present => --enable-debug) is a bad
idea?
Best regards
Uwe
--- End Message ---
--- Begin Message ---
On Tue, Jan 28, 2020 at 11:02:10PM +0100, Uwe Kleine-König wrote:
> Source: rauc
> Version: 1.2-1
> Severity: minor
I didn't invest the effort to find out since when this is fixed, but for
1.10.1 the problem is gone, so I'm closing this.
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | https://www.pengutronix.de/ |
signature.asc
Description: PGP signature
--- End Message ---
