Your message dated Thu, 20 Nov 2025 21:49:01 +0000
with message-id <[email protected]>
and subject line Bug#1119494: fixed in murasaki 1.68.6-16
has caused the Debian Bug report #1119494,
regarding murasaki: please build using the default build flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119494
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: murasaki
Version: 1.68.6-15
User: [email protected]
Usertags: hardening-buildflags
murasaki is not currently using the default build flags set by
dpkg-buildflags(1).
The default flags are chosen for multiple reasons including security,
performance, reproducibility, adherence to standards, and error handling.
Please make sure that murasaki builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.
In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
murasaki, the flags are either ignored or overridden.
The most common reasons for this are:
Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles
Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.
In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":
set(CMAKE_CXX_FLAGS "-O2")
If the intention is to append to CXXFLAGS, one should use the following
instead:
set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")
See #655870 for a similar autotools example.
Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags
Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).
Others attempt to append to the variables, but end up accidentally
overriding the defaults:
#!/usr/bin/make -f
export CFLAGS += -pipe -fPIC -Wall
%:
dh $@
Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).
For a detailed analysis of this issue, see:
https://people.debian.org/~ema/nocflags_paper.pdf (eprint: hal-05334704)
--- End Message ---
--- Begin Message ---
Source: murasaki
Source-Version: 1.68.6-16
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
murasaki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated murasaki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 20 Nov 2025 22:27:17 +0100
Source: murasaki
Architecture: source
Version: 1.68.6-16
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1119494
Changes:
murasaki (1.68.6-16) unstable; urgency=medium
.
* Team upload.
* d/changelog: trim trailing whitespace.
* buildflags.patch: new: propagate build flags. (Closes: #1119494)
* d/rules: activate full hardening.
The relocation bug documented in comment is now fixed apparently.
* d/copyright: drop the old FSF mail address.
* d/control: murasaki depends by default on gnuplot-nox.
This may be revisited for gnuplot-x11 if deemed more appropriate.
* d/copyright: document the origin of debian-tests-data.
* d/control: drop redundant Rules-Requires-Root: no.
Checksums-Sha1:
0c64b621f85ec1d10b6c0353255b66c137c0ca5d 2876 murasaki_1.68.6-16.dsc
369b04bad9c7829f6393c05e55f3a993b96267be 12152 murasaki_1.68.6-16.debian.tar.xz
Checksums-Sha256:
08133cbf49abaca5013d05a695858970cf1309d843c52e3fa6284d45539b2306 2876
murasaki_1.68.6-16.dsc
0f3f9cf8d18debe330d2090d75ec8bfa0deda1f1d4ed6992f9328a3e6e15889e 12152
murasaki_1.68.6-16.debian.tar.xz
Files:
e59ed509f5a2f6dfccac1a2aa4e4e93a 2876 science optional murasaki_1.68.6-16.dsc
86ffac3298220692218ba36a83346184 12152 science optional
murasaki_1.68.6-16.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmkfiOMUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpBJA/8C6Aw0Oe9UCmBSdQ7oVKpqR045+Vx
hbWahYXf2QFWmTvm9jAVQ76+mNyxFFsC4eNS+qJAxoF7d4WIXRiaIvqvV1PjYMnh
fgVla9jTOIf6KfoNOVu/qFVuWqcR3NLdzttm+5/a4nHUiyYjHArsmmXBSM3No6Ah
miKXEtqECKjtIrgZtSWyWWuWz+Bp2D1VhzU73ijBKcyT0dxkk62bFy/wReiK21yF
ZQmdDzqpEdzNaM/p0Sp+sOPlQuFdss6pk/dRvA7v/Z5kq7D9gk4+0m+r5w9WDUu+
O3UCnjttbMA9p7a6HiZZyyvB5sq/aP/QPMQZmE/i3N49X2CD1CZRwMmNfIwAmQAu
X7x4k5pmOoTe+saeZdNmerNTXYlyqeBYe1G/VWMc4RF9oM9lP4m92JD1hBCTDCt6
zo67iyHlhcXAYwsUwbmesV8DOLzv7FnLwPzcJO9Cg+d6d0SDSWtec0BY74GfzcvN
1ABlI6WHJjzxgAsKZkEU48BQddEDvsVP1s3x1kmk2PlxmaXOmigmXy5HrA7UNv3n
u2K7TTLR/CXDkRrdjL0CYhtC52Ccw+A2NaeOInfI7iopr28wg5OIJmb8RljaHTwf
WoJTB0kBrBhVtna0zo0yiIVQsD/L5CMnzfnjcprkhq3zQx8VFndSL68l94oOOtIz
yDOwiGLds4ZuSNg=
=GT9d
-----END PGP SIGNATURE-----
pgp_AugTfOnam.pgp
Description: PGP signature
--- End Message ---
