Source: rauc
Version: 1.2-1
Severity: minor
When building rauc 1.2-1 from the git repository cloned from salsa I
get:
$ dpkg-buildpackage -uc -us
...
$ lintian -EL '>=pedantic' ../rauc_1.2-1_amd64.changes
I: rauc: hardening-no-fortify-functions usr/bin/rauc
I: rauc-service: package-supports-alternative-init-but-no-init.d-script
lib/systemd/system/rauc.service
I: rauc-service: systemd-service-file-missing-install-key
lib/systemd/system/rauc.service
I: rauc source: testsuite-autopkgtest-missing
X: rauc source: upstream-metadata-file-is-missing
. When I do
mv .git ../rauc.git
before building I get however:
$ dpkg-buildpackage -uc -us
...
$ lintian -EL '>=pedantic' ../rauc_1.2-1_amd64.changes
I: rauc-service: package-supports-alternative-init-but-no-init.d-script
lib/systemd/system/rauc.service
I: rauc-service: systemd-service-file-missing-install-key
lib/systemd/system/rauc.service
I: rauc source: testsuite-autopkgtest-missing
X: rauc source: upstream-metadata-file-is-missing
So the hardening-no-fortify-functions problem only occurs in the presence of
the .git directory.
This is related to ./configure assuming that debugging should be enabled if a
.git directory exists which in turn adds -O0 to the command line (additionally
to the -O2 that is present for both cases).
According to
https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_FORTIFY_.28gcc.2Fg.2B-.2B-_-D_FORTIFY_SOURCE.3D2.29
"for this feature to be fully enabled, the source must also be compiled with
-O1 or higher."
It is only little relevant for Debian as the packages are build from the
source package and there is no .git directory, but it is still ugly.
Maybe we should pass --disable-debugging to configure? Or convince
upstream that this assumption (.git present => --enable-debug) is a bad
idea?
Best regards
Uwe
