> lintian gives none of the new errors, but I still see them on mentors: > > http://mentors.debian.net/package/resiprocate
this was discussed on debian-mentors today - some lintian warnings are not 100% reliable > Bart, can you give us any other tips about these errors? Have I done > the right thing with the debian/rules file for resiprocate? Does it > matter where the binary package is built for these *FLAGS to be > effective, e.g. if I build my binary package on a machine running > squeeze, then the hardening stuff won't be in the code and > mentors/lintian will complain? I've done builds of all my packages on squeeze and after tweaking the hardening stuff some more, I found that most of the warnings go away, so building on squeeze seems to be a requirement now setting *FLAGS directly didn't work reliably, I found this method most reliable with both cmake and autotools projects: DEB_BUILD_MAINT_OPTIONS = hardening=+all DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk The new libmusicbrainz5 and flactag packages are up now: http://mentors.debian.net/package/libmusicbrainz http://mentors.debian.net/package/flactag I notice lintian still gives a stack-protector warning for one of the binaries, discid, even though both binaries are compiled and linked with the correct flags - they are both built the same way using autotools /bin/bash ./libtool --tag=CXX --mode=link g++ -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now -o discid discid.o DiscIDWrapper.o Cuesheet.o CuesheetTrack.o -ldiscid -ljpeg libtool: link: g++ -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE -pie -Wl,-z -Wl,relro -Wl,-z -Wl,now -o discid discid.o DiscIDWrapper.o Cuesheet.o CuesheetTrack.o -ldiscid -ljpeg $ hardening-check flactag flactag: Position Independent Executable: yes Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes $ hardening-check discid discid: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: yes -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
