Hi Andrei, Since wheezy is frozen now, all fresh uploads with substantial changes (e.g. new upstream release) should target 'experimental' instead of 'unstable' in debian/changelog. I will upload backports to NeuroDebian anyways ;-)
now hardening, which I am not much of an expert unfortunately: > Recently lintian has grown clever enough to require -D_FORTIFY_SOURCE ;-) mention that those are just warnings, so theoretically could be ignored (unless it is a daemon app etc), but it is indeed great to have them addressed > and other nifty things as described here: http://wiki.debian.org/Hardening. > I now duly added the recommended flags to CXXFLAGS, which is not representing > an issue to write about per se except for the fact that I had to omit -fPIE > and -pie. With these latter two, my private libsigfile.so fails to build. interesting... as far as I see it *pie* hardening is even more optional and surprised that the dyn library doesn't build for you with fPIC? > However, adding the following to my debian/rules happens to be enough to > silence lintian: ;-) per se you don't need to "silence" it (yet) for these > export DEB_BUILD_HARDENING=1 > CXXFLAGS=$(shell dpkg-buildflags --get CFLAGS) > LDFLAGS=$(shell dpkg-buildflags --get LDFLAGS) > # CXXFLAGS+=$(HARDENING_CFLAGS) > # LDFLAGS+=$(HARDENING_LDFLAGS) > ## hardening-wrapper doesn't seem to be available > ## on all target arches yet, so try adding these flags manually > export CXXFLAGS += -Wformat -Wformat-security -Werror=format-security > -D_FORTIFY_SOURCE=2 -fstack-protector --param ssp-buffer-size=4 > export LDFLAGS += -z relro -z now well -- if you just care to "silence lintian", i.e. to introduce hardening only where supported, you could do smth like what I have done for freeipmi: override_dh_auto_configure: dh_auto_configure -- $(shell dpkg-buildflags --export=configure | grep CFLAGS ) so, where dpkg-buildflags provides those hardening flags -- they would be used. and would build just fine otherwise > Here's the link to .DSC file: > http://johnhommer.com/academic/code/aghermann/source/deb/aghermann_0.7.0-1.dsc. > Hope all will build well. does it for you? ;-) so tune up release to experimental and may be give it a 2nd thought on how to treat hardening args and reupload .dsc Cheers! -- Yaroslav O. Halchenko Postdoctoral Fellow, Department of Psychological and Brain Sciences Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
