Re: Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Am Dienstag, dem 09.04.2024 um 03:11 + schrieb mentors.debian.net: > > A comment has been posted to a package you uploaded: > > From: Alex Myczko > Package: galvani > Url: https://mentors.debian.net/package/galvani/ > > --- > Vcs fields are easy to fix, do you already have an account on > salsa.debian.org ? > --- > > Thanks, I have an entry in debian/control: #Vcs-Git: https://salsa.debian.org/blutz/galvani.git #Vcs-Browser: https://salsa.debian.org/blutz/galvani But I forgot to delete the hashes. Thank you.
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Hi Jeremy,
thank you for all your detailed explanations.
Burkard
Am Mittwoch, dem 27.03.2024 um 22:24 + schrieb Jeremy Sowden:
> On 2024-03-27, at 10:48:45 +0100, Dr. Burkard Lutz wrote:
> > Am Dienstag, dem 26.03.2024 um 17:03 + schrieb Jeremy Sowden:
> > > [...]
> > >
> > > The following should suffice:
> > >
> > > export DH_VERBOSE = 1
> > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all
> > > export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs
> > >
> > > %:
> > > dh $@ --with autoreconf
> > >
> >
> > So, this is exactly what I had initially.
> >
> > > Running the build one can see:
> > >
> > > g++ [...] -D_FORTIFY_SOURCE=2 [...]
> > >
> > > so the right argument is being passed to the compiler.
> > > There is a list
> > > of the functions that are fortified here:
> > >
> > >
> > > https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html
> > >
> > > Does the software use any of these? If not, this is a false
> > > positive.
> > >
> > > J.
> >
> > Galvani only uses "open" for file operations and "read" to read
> > from
> > usb devices.
> >
> > I'm a bit confused now. The output of "blhc galvani_0.34-
> > 1_amd64.build"
> > is empty, but "hardening-check -vR /usr/bin/galvani" gives:
> >
> > /usr/bin/galvani:
> > Position Independent Executable: yes
> > Stack protected: yes
> > Fortify Source functions: no, only unprotected functions found!
> > unprotected: read
> > unprotected: memcpy
> > unprotected: readlink
> > unprotected: vsnprintf
> > unprotected: memset
> > unprotected: memmove
> > unprotected: realpath
> > unprotected: getcwd
> > Read-only relocations: yes
> > Immediate binding: yes
> > Stack clash protection: unknown, no -fstack-clash-protection
> > instructions found
> > Control flow integrity: no, not found!
> > --
> > followed by a long list.
>
> I've take a closer look and I don't think you have anything to worry
> about. Lintian's complaint relates to five unfortified function
> symbols
> in the galvani binary:
>
> getcwd
> read
> vsnprintf
> realpath
> readlink
>
> hardening-check(1) lists an additional three. Of the eight, the
> galvani
> source itself only includes one of them: read(2). The other are
> presumably being pulled in via inline functions or templates from
> header
> files or similar mechanisms. Furthermore, the hardening-check(1)
> man-
> page explains that:
>
> When an executable was built such that the fortified versions of
> the
> glibc functions are not useful (e.g. use is verified as safe at
> compile time, or use cannot be verified at runtime), this check
> will
> lead to false alarms.
>
> There is one read(2) call (in mess.cxx):
>
> std::string Multimeter::readfrom_dmm ()
> {
> std::string mwert, extra_str;
> std::string error_str;
> char buffer[1024];
> std::string poll;
>
> if (scpi)
> {
> dmm_polling = true;
> poll = "MEAS?";
> }
> else poll = "D";
>
> if (usb)
> {
> if (dmm_polling) writeto_dmm (poll);
> int result = read(usb_port, buffer, 1024);
>
> and it is straightforward for the compiler to verify that it will not
> overrun the buffer.
>
> I believe your original rules file was fine. The correct hardening
> flags were being passed. The fact that there were unfortified
> function
> symbols in the resulting binary was down to the tool-chain and not
> anything you were doing wrong.
>
> J.
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
On 2024-03-27, at 10:48:45 +0100, Dr. Burkard Lutz wrote:
> Am Dienstag, dem 26.03.2024 um 17:03 + schrieb Jeremy Sowden:
> > [...]
> >
> > The following should suffice:
> >
> > export DH_VERBOSE = 1
> > export DEB_BUILD_MAINT_OPTIONS = hardening=+all
> > export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs
> >
> > %:
> > dh $@ --with autoreconf
> >
>
> So, this is exactly what I had initially.
>
> > Running the build one can see:
> >
> > g++ [...] -D_FORTIFY_SOURCE=2 [...]
> >
> > so the right argument is being passed to the compiler.
> > There is a list
> > of the functions that are fortified here:
> >
> >
> > https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html
> >
> > Does the software use any of these? If not, this is a false
> > positive.
> >
> > J.
>
> Galvani only uses "open" for file operations and "read" to read from
> usb devices.
>
> I'm a bit confused now. The output of "blhc galvani_0.34-1_amd64.build"
> is empty, but "hardening-check -vR /usr/bin/galvani" gives:
>
> /usr/bin/galvani:
> Position Independent Executable: yes
> Stack protected: yes
> Fortify Source functions: no, only unprotected functions found!
> unprotected: read
> unprotected: memcpy
> unprotected: readlink
> unprotected: vsnprintf
> unprotected: memset
> unprotected: memmove
> unprotected: realpath
> unprotected: getcwd
> Read-only relocations: yes
> Immediate binding: yes
> Stack clash protection: unknown, no -fstack-clash-protection
> instructions found
> Control flow integrity: no, not found!
> --
> followed by a long list.
I've take a closer look and I don't think you have anything to worry
about. Lintian's complaint relates to five unfortified function symbols
in the galvani binary:
getcwd
read
vsnprintf
realpath
readlink
hardening-check(1) lists an additional three. Of the eight, the galvani
source itself only includes one of them: read(2). The other are
presumably being pulled in via inline functions or templates from header
files or similar mechanisms. Furthermore, the hardening-check(1) man-
page explains that:
When an executable was built such that the fortified versions of the
glibc functions are not useful (e.g. use is verified as safe at
compile time, or use cannot be verified at runtime), this check will
lead to false alarms.
There is one read(2) call (in mess.cxx):
std::string Multimeter::readfrom_dmm ()
{
std::string mwert, extra_str;
std::string error_str;
char buffer[1024];
std::string poll;
if (scpi)
{
dmm_polling = true;
poll = "MEAS?";
}
else poll = "D";
if (usb)
{
if (dmm_polling) writeto_dmm (poll);
int result = read(usb_port, buffer, 1024);
and it is straightforward for the compiler to verify that it will not
overrun the buffer.
I believe your original rules file was fine. The correct hardening
flags were being passed. The fact that there were unfortified function
symbols in the resulting binary was down to the tool-chain and not
anything you were doing wrong.
J.
signature.asc
Description: PGP signature
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Am Dienstag, dem 26.03.2024 um 17:03 + schrieb Jeremy Sowden: > [...] > > The following should suffice: > > export DH_VERBOSE = 1 > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs > > %: > dh $@ --with autoreconf > So, this is exactly what I had initially. > Running the build one can see: > > g++ [...] -D_FORTIFY_SOURCE=2 [...] > > so the right argument is being passed to the compiler. > There is a list > of the functions that are fortified here: > > > https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html > > Does the software use any of these? If not, this is a false > positive. > > J. Galvani only uses "open" for file operations and "read" to read from usb devices. I'm a bit confused now. The output of "blhc galvani_0.34-1_amd64.build" is empty, but "hardening-check -vR /usr/bin/galvani" gives: /usr/bin/galvani: Position Independent Executable: yes Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: read unprotected: memcpy unprotected: readlink unprotected: vsnprintf unprotected: memset unprotected: memmove unprotected: realpath unprotected: getcwd Read-only relocations: yes Immediate binding: yes Stack clash protection: unknown, no -fstack-clash-protection instructions found Control flow integrity: no, not found! -- followed by a long list. Burkard
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
On 2024-03-26, at 17:20:10 +0100, Dr. Burkard Lutz wrote: > Am Samstag, dem 16.03.2024 um 11:06 +0100 schrieb Bastian Germann: > > On Mon, 11 Mar 2024 14:20:25 +0100 "Dr. Burkard Lutz" > > wrote: > > > Changes for the initial release: > > > > > > galvani (0.34-1) unstable; urgency=medium > > > . > > > * Initial release. > > > > You are not referring to any ITP. Please file one on the wnpp pseudo > > package. > > > > > > > > My /debian/rules contains: > > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > > > > > > Nevertheless I always get the lintian error "hardening-no-fortify- > > > functions" > > > How can I fix that? > > > > By making sure that LDFLAGS, CPPFLAGS and CFLAGS set by dpkg are used > > in to your build. > > > I uploaded a new version to mentors.debian.net/package/galvani. > Changes since the last upload: > - ITP (wnpp): (Closes: #1067096) > - debian/upstream: added sining-key-asc > - debian/upstream/metadata: added repository: > https://gitlab.com/b.lutz1/galvani > - debian/control: added homepage field > - new debian/copyright > - new debian/watch > - debian/rules: added dpkg-buildflags > > I tried to fix the linitan error "hardening-no-fortify-functions" > I'm using anjuta as IDE. In the project options I added CFLAGS, > CPPFLAGS, CXXFLAGS and LDFLAGS (output of dpkg-buildflags). > My debian/rules is now: > --- > #!/usr/bin/make -f > > LDFLAGS :=$(shell dpkg-buildflags --get LDFLAGS) > > export DH_VERBOSE = 1 > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > > export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic > > export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs > > DPKG_EXPORT_BUILDFLAGS = 1 > include /usr/share/dpkg/buildflags.mk > CFLAGS += $(CPPFLAGS) > > %: > dh $@ --with autoreconf > > But I got still the same linitan error. > What is wrong and what can I do to fix the error? The following should suffice: export DH_VERBOSE = 1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs %: dh $@ --with autoreconf Running the build one can see: g++ [...] -D_FORTIFY_SOURCE=2 [...] so the right argument is being passed to the compiler. There is a list of the functions that are fortified here: https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html Does the software use any of these? If not, this is a false positive. J. signature.asc Description: PGP signature
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Am Samstag, dem 16.03.2024 um 11:06 +0100 schrieb Bastian Germann: > On Mon, 11 Mar 2024 14:20:25 +0100 "Dr. Burkard Lutz" > wrote: > > Changes for the initial release: > > > > galvani (0.34-1) unstable; urgency=medium > > . > > * Initial release. > > You are not referring to any ITP. Please file one on the wnpp pseudo > package. > > > > > My /debian/rules contains: > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > > > > Nevertheless I always get the lintian error "hardening-no-fortify- > > functions" > > How can I fix that? > > By making sure that LDFLAGS, CPPFLAGS and CFLAGS set by dpkg are used > in to your build. > I uploaded a new version to mentors.debian.net/package/galvani. Changes since the last upload: - ITP (wnpp): (Closes: #1067096) - debian/upstream: added sining-key-asc - debian/upstream/metadata: added repository: https://gitlab.com/b.lutz1/galvani - debian/control: added homepage field - new debian/copyright - new debian/watch - debian/rules: added dpkg-buildflags I tried to fix the linitan error "hardening-no-fortify-functions" I'm using anjuta as IDE. In the project options I added CFLAGS, CPPFLAGS, CXXFLAGS and LDFLAGS (output of dpkg-buildflags). My debian/rules is now: --- #!/usr/bin/make -f LDFLAGS :=$(shell dpkg-buildflags --get LDFLAGS) export DH_VERBOSE = 1 export DEB_BUILD_MAINT_OPTIONS = hardening=+all export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic export DEB_LDFLAGS_MAINT_APPEND = -lstdc++fs DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk CFLAGS += $(CPPFLAGS) %: dh $@ --with autoreconf But I got still the same linitan error. What is wrong and what can I do to fix the error? Regards, Burkard
Re: Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Use the wnpp bug number in the Changelog file. The other bug will close automatically when the package is sponsored. On Monday, March 18, 2024 5:57:41 AM MST Dr. Burkard Lutz wrote: > Hi Bastian, > > thanks for your advices. As you suggested, I created a bug report > against wnpp. But now I have to Bug numbers: > #1066033 (sponsorship-requests) > #1067096 (wnpp) > Which one should I use in the Changelog file? > > Regards, > Burkard > > Am Samstag, dem 16.03.2024 um 11:06 +0100 schrieb Bastian Germann: > > On Mon, 11 Mar 2024 14:20:25 +0100 "Dr. Burkard Lutz" > > > > wrote: > > > Changes for the initial release: > > > > > > galvani (0.34-1) unstable; urgency=medium > > > . > > >* Initial release. > > > > You are not referring to any ITP. Please file one on the wnpp pseudo > > package. > > > > > My /debian/rules contains: > > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > > > > > > Nevertheless I always get the lintian error "hardening-no-fortify- > > > functions" > > > How can I fix that? > > > > By making sure that LDFLAGS, CPPFLAGS and CFLAGS set by dpkg are used > > in to your build. -- Soren Stoutner so...@debian.org signature.asc Description: This is a digitally signed message part.
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Hi Bastian, thanks for your advices. As you suggested, I created a bug report against wnpp. But now I have to Bug numbers: #1066033 (sponsorship-requests) #1067096 (wnpp) Which one should I use in the Changelog file? Regards, Burkard Am Samstag, dem 16.03.2024 um 11:06 +0100 schrieb Bastian Germann: > On Mon, 11 Mar 2024 14:20:25 +0100 "Dr. Burkard Lutz" > wrote: > > Changes for the initial release: > > > > galvani (0.34-1) unstable; urgency=medium > > . > > * Initial release. > > You are not referring to any ITP. Please file one on the wnpp pseudo > package. > > > > > My /debian/rules contains: > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > > > > Nevertheless I always get the lintian error "hardening-no-fortify- > > functions" > > How can I fix that? > > By making sure that LDFLAGS, CPPFLAGS and CFLAGS set by dpkg are used > in to your build. > -- Dr. Burkard Lutz Hellmut-von-Gerlachstr. 35 34121 Kassel
Re: Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Hi Bastian, thanks for your advices. As you suggested, I created a bug report against wnpp. But now I have to Bug numbers: #1066033 (sponsorship-requests) #1067096 (wnpp) Which one should I use in the Changelog file? Regards, Burkard Am Samstag, dem 16.03.2024 um 11:06 +0100 schrieb Bastian Germann: > On Mon, 11 Mar 2024 14:20:25 +0100 "Dr. Burkard Lutz" > wrote: > > Changes for the initial release: > > > > galvani (0.34-1) unstable; urgency=medium > > . > > * Initial release. > > You are not referring to any ITP. Please file one on the wnpp pseudo > package. > > > > > My /debian/rules contains: > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all > > > > Nevertheless I always get the lintian error "hardening-no-fortify- > > functions" > > How can I fix that? > > By making sure that LDFLAGS, CPPFLAGS and CFLAGS set by dpkg are used > in to your build. > -- Dr. Burkard Lutz Hellmut-von-Gerlachstr. 35 34121 Kassel
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
On Mon, 11 Mar 2024 14:20:25 +0100 "Dr. Burkard Lutz" wrote: Changes for the initial release: galvani (0.34-1) unstable; urgency=medium . * Initial release. You are not referring to any ITP. Please file one on the wnpp pseudo package. My /debian/rules contains: export DEB_BUILD_MAINT_OPTIONS = hardening=+all Nevertheless I always get the lintian error "hardening-no-fortify- functions" How can I fix that? By making sure that LDFLAGS, CPPFLAGS and CFLAGS set by dpkg are used in to your build.
Bug#1066033: RFS: galvani/0.34-1 [ITP] -- reads data from a device with graphical plots and evaluation
Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "galvani": * Package name : galvani Version : 0.34-1 Upstream contact : Burkard Lutz * URL : https://salsa.debian.org/blutz/galvani * License : GPL-2+ * Vcs : https://salsa.debian.org/blutz/galvani Section : science The source builds the following binary packages: galvani - reads data from a device with graphical plots and evaluation To access further information about this package, please visit the following URL: https://mentors.debian.net/package/galvani/ Alternatively, you can download the package with 'dget' using this command: dget -x https://mentors.debian.net/debian/pool/main/g/galvani/galvani_0.34-1.dsc Changes for the initial release: galvani (0.34-1) unstable; urgency=medium . * Initial release. My /debian/rules contains: export DEB_BUILD_MAINT_OPTIONS = hardening=+all Nevertheless I always get the lintian error "hardening-no-fortify- functions" How can I fix that? Regards, Burkard
