Control: block -1 by 812782 On Fri, 2016-01-29 at 12:55:42 +0100, Bálint Réczey wrote: > 2016-01-29 0:46 GMT+01:00 Guillem Jover <[email protected]>: > > On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote: > >> Package: dpkg > >> Version: 1.18.4 > >> Severity: wishlist > >> Tags: patch > >> User: [email protected] > >> Usertags: hardened1-linux-amd64 > > > >> This is the second patch enabling extra flags in dpkg in case the > >> hardened1-linux-amd64 port is accepted in #812782. > > > >> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm > >> index db40b2c..2f39d82 100644 > >> --- a/scripts/Dpkg/Vendor/Debian.pm > >> +++ b/scripts/Dpkg/Vendor/Debian.pm > >> @@ -177,6 +177,14 @@ sub _add_reproducible_flags { > > > >> + if ($abi =~ /^(?:gnuhardened1)$/) { > >> + # Enable bindnow on hardened ports > >> + $use_feature{bindnow} = 1; > >> + } > >> + > > > Unfortunately I don't think this is a good idea. Due to at least two > > reasons. First not all packages are using dpkg-buildflags, which means > > that many will simply fail to build if one of the libraries they use > > is using ASAN but the program is not (AFAIUI). And because this is
> I plan providing patches for those packages, but I see your point. > > > part of the ABI so it should really be a default in the compiler. This > > is part of the architecure definition. So this to me seems like the > > wrong place to set these. > I'm working towards to adding those as default GCC flags. I have already added > PIE which I previously set in dpkg: #812889 . Actually setting bindnow and PIE would be fine as part of the default build flags from dpkg, because those do not change the ABI in principle. And those are the only ones I'd accept from this bug report, but certainly not the ABI changing ones. > Setting the flags in dpkg makes it possible to create the port before the GCC > patches are stable. My thinking was that I could migrate to changing GCC later > without breaking the ABI. Not an option really. Having a stable ABI is a prerequisite for any new dpkg architecture, until that has happened I'm not planning on considering such additions. Thanks, Guillem
