Your message dated Fri, 28 Nov 2025 13:19:09 +0000
with message-id <[email protected]>
and subject line Bug#1119507: fixed in ntpstat 0.0.0.1-3
has caused the Debian Bug report #1119507,
regarding ntpstat: please build using the default build flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119507
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ntpstat
Version: 0.0.0.1-2
User: [email protected]
Usertags: hardening-buildflags
ntpstat is not currently using the default build flags set by
dpkg-buildflags(1).
The default flags are chosen for multiple reasons including security,
performance, reproducibility, adherence to standards, and error handling.
Please make sure that ntpstat builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.
In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
ntpstat, the flags are either ignored or overridden.
The most common reasons for this are:
Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles
Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.
In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":
set(CMAKE_CXX_FLAGS "-O2")
If the intention is to append to CXXFLAGS, one should use the following
instead:
set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")
See #655870 for a similar autotools example.
Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags
Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).
Others attempt to append to the variables, but end up accidentally
overriding the defaults:
#!/usr/bin/make -f
export CFLAGS += -pipe -fPIC -Wall
%:
dh $@
Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).
For a detailed analysis of this issue, see:
https://people.debian.org/~ema/nocflags_paper.pdf (eprint: hal-05334704)
--- End Message ---
--- Begin Message ---
Source: ntpstat
Source-Version: 0.0.0.1-3
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ntpstat, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated ntpstat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 28 Nov 2025 13:49:12 +0100
Source: ntpstat
Architecture: source
Version: 0.0.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1119507
Changes:
ntpstat (0.0.0.1-3) unstable; urgency=medium
.
[ Ondřej Nový ]
* Use debhelper-compat instead of debian/compat.
.
[ Thomas Goirand ]
* Add /usr/share/dpkg/buildflags.mk to use default build flags
(Closes: #1119507).
* Switch to debhelper 13.
* Standards-Version: 4.7.2.
* Fix d/copyright.
* Set DEB_BUILD_MAINT_OPTIONS=hardening=+all.
Checksums-Sha1:
03cbf0b4c0117a1575210e99da022baa4fef4ac7 1946 ntpstat_0.0.0.1-3.dsc
05aea10c3546db03f60789b05b3043e4960b8d6f 2016 ntpstat_0.0.0.1-3.debian.tar.xz
ebc8e3d8753c7b1048b8f6a61d7a295491f44f10 6768 ntpstat_0.0.0.1-3_amd64.buildinfo
Checksums-Sha256:
0bca6f5337e853c25aef6de395837d68ef82680523cc4dbc4bf9781e61fa70a3 1946
ntpstat_0.0.0.1-3.dsc
0b3a528a0a051ec90466549e9f84efac32d1aeb6741dabeac3e7c20cdb45aa76 2016
ntpstat_0.0.0.1-3.debian.tar.xz
3ab097c0c0e1706954d208983daab6bd85f8a7a86bd405f7966a73bb5f916b59 6768
ntpstat_0.0.0.1-3_amd64.buildinfo
Files:
049c55d9f6900990665ce6d35b185b66 1946 web optional ntpstat_0.0.0.1-3.dsc
a7d6488ae8a3b27ef1b16ed6cf75f634 2016 web optional
ntpstat_0.0.0.1-3.debian.tar.xz
c524bc0bbef0130653ff1746f0198246 6768 web optional
ntpstat_0.0.0.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmkpm/oACgkQ1BatFaxr
Q/67Zg//fLzyWAx3uFdw7NDY9CarO6k4ac61OlYXivwC49TvWjirQXlxl420APhl
NAphLH72K3Y0ncBxvQcnnVw6C1OCIs30BiByakpfBQvJs+BG0gVez0vZMSfA73bU
/l2EzmrHF/eZgDfaEbCkBjQo1TxwRv7Qg0vVT+FEJsNRTTe0XHRDWAGRDuiwQRid
gdrTE8VglHLw214RAyEAbyMGc3Fup2frp/FdMjMY6osqc/mDKEO4HoKP0wjHJqvs
yQFqVj0Q9/Pn6hbKCDSWGQ20K7yJkX/7D6RMdGU4NW5fJJptIK1ufBPHkA6GeedW
c9N1YcMl3ztUIikayaw6Q/uIMq+A5KDII5MvYvj9P/8q8MIeU610RxKpoXhfcL9c
jFiC/xnF8xlAD4ByoHtr5hVJNScxzYMxYGHnPnEk7uMThzMKP62vY98rtsyrveCx
tYdELdDU6cueRMbCk0yxecIsAL/aWtHPMjVSbHrlrEuTA59HfQNzi6xc8fKpoD3O
1+mxFfUipYXkhWMQmD3jR/3fy/5KBk7VE9aONpACjyQVEfC5TLpNCFPvPKPNJMNp
Rr/R+R/yhNJF2u20ycTmPR3GU3rvQAFqlgZpKCGa5x6Q3ESxSyStTrdikYES0sBb
U53+ztY1BADBflahowj+/EiM34tR43Am+Oef0LmuLgh3IcynuYk=
=VxzQ
-----END PGP SIGNATURE-----
pgp3djXejiT5u.pgp
Description: PGP signature
--- End Message ---
