Package: alsa-lib
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
Please consider enabling hardening flags which are a release goal
for wheezy. For more information please have a look at [1], [2]
and [3].
The attached patch uses dpkg-buildflags to automatically enable
the hardening flags. It also enables a verbose build so missing
flags are easily detected. DEB_*_MAINT_APPEND is the preferred
way to set additional flags (see man dpkg-buildflags for more
information). -g and noopt are automatically handled by
dpkg-buildflags.
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package:
$ hardening-check /usr/lib/x86_64-linux-gnu/libasound.so.2.0.0
/usr/lib32/libasound.so.2.0.0
/usr/lib/x86_64-linux-gnu/libasound.so.2.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
/usr/lib32/libasound.so.2.0.0:
Position Independent Executable: no, regular shared library (ignored)
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no not found!
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVQDuAAoJEJL+/bfkTDL52CcQAKSqfwmaJP12+LmSU0eXTy/U
2TBzlfFnCxfk6UW+vSnFHx8KHaXYyPBYroEmqtkSUqNJdcMy82wu84JUb9pOSkoT
vGSRyrXhiSO2PK7Em9wYKXKcf3mDnPcDuho3ZlFNUnMJCrLy6tPBFCz4GMR0ND/w
ndxf1V/iYPqtuLNekdzoDeqgOa+sTbH9/pJ4uJ0pclXh80ZGHsxygad9YzhTuvCh
JQKWlYnSy7a80wLOY3JBHzLGfPFz3wG3MANDkaRIjL34KLAt1sZsZ9W3u5LtpQGr
W/ExsExnKsrAUikZXg5rDVr+BfnysLG2/SRd3hVDcJnf3isfXJNGh+K/sD4j6Zrx
jzdKYDpTpLtf9s1wHclPdDbM/1yq6HOUqbuT4x9rSNC2QTqZydft5o7BYK5kQqJE
t9MregDZ7J7kGf08cD3WFEFUXAbeMUsE+ZZIXLyZg+O3Bhj+6XR+pLqR2MoS1Igs
ZnDlXdxgAARhJEJWMJ5bwarzVV2e9K64/Zd8ET1QbilkSThkaBFi2FVc4ywMUmpr
0XNt3BYZmhlFOpRaBukEPZMqq6XyS2ulVBeAjO2Ww9FrrGj0QKICwYHp7cAtYBoH
zMJFrqKY8iDyVd2+BzHFKsgOdLe3o9rjmAaaGIJh0oPDL5l8XCLQVRcaIzS9ODbI
9Wfc1BdIMRm01bo+cMTz
=SFRd
-----END PGP SIGNATURE-----
diff -Nru alsa-lib-1.0.25/debian/rules alsa-lib-1.0.25/debian/rules
--- alsa-lib-1.0.25/debian/rules 2012-02-11 19:44:21.000000000 +0100
+++ alsa-lib-1.0.25/debian/rules 2012-03-05 18:54:52.000000000 +0100
@@ -3,6 +3,9 @@
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
+# Enable verbose build.
+export V=1
+
export DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
export DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
@@ -18,13 +21,10 @@
'-Vbidev:Depends=libc6-dev-i386'
endif
-CFLAGS = -g -Wall -D_GNU_SOURCE
+export DEB_CFLAGS_MAINT_APPEND = -Wall -D_GNU_SOURCE
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
autoreconf-stamp:
dh_testdir
