Hi,
2016-01-29 0:46 GMT+01:00 Guillem Jover <guil...@debian.org>:
> Hi!
>
> On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote:
>> Package: dpkg
>> Version: 1.18.4
>> Severity: wishlist
>> Tags: patch
>> User: bal...@balintreczey.hu
>> Usertags: hardened1-linux-amd64
>
>> This is the second patch enabling extra flags in dpkg in case the
>> hardened1-linux-amd64 port is accepted in #812782.
>
>> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
>> index db40b2c..2f39d82 100644
>> --- a/scripts/Dpkg/Vendor/Debian.pm
>> +++ b/scripts/Dpkg/Vendor/Debian.pm
>> @@ -177,6 +177,14 @@ sub _add_reproducible_flags {
>> + my $arch = get_host_arch();
>> + my ($abi, $os, $cpu) = debarch_to_debtriplet($arch);
>> +
>> + unless (defined $abi and defined $os and defined $cpu) {
>> + warning(g_("unknown host architecture '%s'"), $arch);
>> + ($abi, $os, $cpu) = ('', '', '');
>> + }
>> +
>
>> + if ($abi =~ /^(?:gnuhardened1)$/) {
>> + # Enable address and undefined behavior sanitizers for the
>> + # hardened ports
>> + $use_feature{address} = 1;
>> + $use_feature{undefined} = 1;
>> + }
>> +
>
>
>> + if ($abi =~ /^(?:gnuhardened1)$/) {
>> + # Enable bindnow on hardened ports
>> + $use_feature{bindnow} = 1;
>> + }
>> +
>
> Unfortunately I don't think this is a good idea. Due to at least two
> reasons. First not all packages are using dpkg-buildflags, which means
> that many will simply fail to build if one of the libraries they use
> is using ASAN but the program is not (AFAIUI). And because this is
I plan providing patches for those packages, but I see your point.
> part of the ABI so it should really be a default in the compiler. This
> is part of the architecure definition. So this to me seems like the
> wrong place to set these.
I'm working towards to adding those as default GCC flags. I have already added
PIE which I previously set in dpkg: #812889 .
Setting the flags in dpkg makes it possible to create the port before the GCC
patches are stable. My thinking was that I could migrate to changing GCC later
without breaking the ABI.
Cheers,
Balint
