Hi Charles and all, thanks again: Debian is teaching me how to do these things better.
I used part of your patch in LASTv199. (I didn't include the "+=" changes, because I think the purpose of those flag variables is to let you override them if you want to. You might consider including "-O3" in your override.) By the way, in your "rules" file, I think "clean" is no longer needed (now in the upstream makefile), nor is "--directory src" (there is now a top-level makefile). Please let me know if I misunderstood something. Have a nice day, Martin http://www.cbrc.jp/~martin/ On Mon, Apr 30, 2012 at 11:16 AM, Charles Plessy <ple...@debian.org> wrote: > Hi Martin, > > please consider the patch below for the makefile of LAST. It > allows to set the compiler, preprocessor and linker separately, > which is the way Debian follows when passing 'hardening' flags > (see below). > > Cheers, > > -- Charles > > Le Sat, Apr 07, 2012 at 06:47:11PM +0200, Simon Ruderich a écrit : > > Package: last-align > > Version: 198-1 > > Severity: important > > Tags: patch > > > > Dear Maintainer, > > > > The hardening flags are missing because the build system ignores > > them. > > > > The attached patch fixes the issue, if possible it should be sent > > to upstream. > > > > To check if all flags were correctly enabled you can use > > `hardening-check` from the hardening-includes package and check > > the build log (hardening-check doesn't catch everything): > > > > $ hardening-check /usr/bin/lastdb /usr/bin/lastal > > /usr/bin/lastdb: > > Position Independent Executable: no, normal executable! > > Stack protected: yes > > Fortify Source functions: no, only unprotected functions found! > > Read-only relocations: yes > > Immediate binding: no not found! > > /usr/bin/lastal: > > Position Independent Executable: no, normal executable! > > Stack protected: yes > > Fortify Source functions: yes (some protected functions found) > > Read-only relocations: yes > > Immediate binding: no not found! > > > > (Position Independent Executable and Immediate binding is not > > enabled by default.) > > > > Use find -type f \( -executable -o -name \*.so\* \) -exec > > hardening-check {} + on the build result to check all files. > > > > Regards, > > Simon > > > > [1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags > > [2]: https://wiki.debian.org/HardeningWalkthrough > > [3]: https://wiki.debian.org/Hardening > > -- > > + privacy is necessary > > + using gnupg http://gnupg.org > > + public key id: 0x92FEFDB7E44C32F9 > > Description: Use build flags from environment (dpkg-buildflags). > Necessary for hardening flags. > Author: Simon Ruderich <si...@ruderich.org> > Last-Update: 2012-04-07 > > --- last-align-198.orig/makefile > +++ last-align-198/makefile > @@ -1,4 +1,4 @@ > -CXXFLAGS = -O3 > +CXXFLAGS += -O3 > all: > @cd src && $(MAKE) CXXFLAGS="$(CXXFLAGS)" > > --- last-align-198.orig/src/makefile > +++ last-align-198/src/makefile > @@ -1,12 +1,12 @@ > CXX = g++ > CC = gcc > > -CXXFLAGS = -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \ > +CXXFLAGS += -O3 -Wall -Wextra -Wcast-qual -Wswitch-enum -Wundef \ > -Wcast-align -Wno-long-long -ansi -pedantic > # -Wconversion > # -fomit-frame-pointer ? > > -CFLAGS = -Wall > +CFLAGS += -Wall > > DBSRC = Alphabet.cc MultiSequence.cc CyclicSubsetSeed.cc \ > SubsetSuffixArray.cc LastdbArguments.cc io.cc fileMap.cc \ > @@ -50,16 +50,16 @@ OBJ = lambda_calculator.o > all: lastdb lastal lastex > > lastdb: $(DBSRC) $(DBINC) makefile > - $(CXX) $(CXXFLAGS) -o $@ $(DBSRC) > + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(DBSRC) > > lastal: $(ALSRC) $(ALINC) makefile $(OBJ) > - $(CXX) $(CXXFLAGS) -o $@ $(ALSRC) $(OBJ) > + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ $(ALSRC) $(OBJ) > > lastex: $(EXSRC) $(EXINC) makefile > - $(CXX) -Igumbel_params $(CXXFLAGS) -o $@ $(EXSRC) > + $(CXX) -Igumbel_params $(CPPFLAGS) $(CXXFLAGS) $(LDFLAGS) -o $@ > $(EXSRC) > > $(OBJ): CA_code/*.c CA_code/*.h makefile > - $(CC) $(CFLAGS) -c CA_code/lambda_calculator.c > + $(CC) $(CPPFLAGS) $(CFLAGS) -c CA_code/lambda_calculator.c > > clean: > rm -f lastdb lastal lastex $(OBJ) >