On #ubuntu-release today we've been discussing the possibility of removing our hack from dpkg-buildpackage that exports the default output of dpkg-buildflags in the environment. This was an ugly hack to start with, and some months ago we had to make it even more ugly temporarily (https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034351.html), but on the general understanding that we would revert the whole lot after 12.04 and start relying on dpkg-buildflags.
The effects of this change require some analysis; they were certainly not obvious to me. Many of the default flags set by dpkg-buildflags are in fact already the defaults in Ubuntu's compiler: -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Wl,-z,relro -Werror=format-security is output by dpkg-buildflags, but we filter that out in the dpkg-buildpackage export hack at the moment to avoid causing lots of build failures in unsuspecting packages. The last remaining issue for default builds is therefore -Wl,-Bsymbolic-functions. This is subtle: we use it (IIRC) as a performance improvement for shared libraries, and I wouldn't like that to regress. It's not trivial to detect whether a library has been built that way, but after some fiddling I noticed that it shows up in the output of 'objdump -R': a library built with -Wl,-Bsymbolic-functions has more entries there. I'm therefore currently building all of precise/main in a couple of amd64 cloud instances with our hack removed from dpkg-buildpackage in the build chroot, with the intention of checking for any build failures, but also of extracting all the resulting shared libraries, running 'objdump -R' over them, and comparing against the corresponding shared libraries in the archive. That should give us a general idea of how much work it will be to ensure that all shared libraries continue to be built with -Wl,-Bsymbolic-functions (except where that had already been disabled for one reason or another). I hope to be able to report on this after the weekend. The other likely effect of removing this export hack is that putting hardening options in DEB_BUILD_OPTIONS might start working differently. However, this only affects local builds, and it can be fixed by modifying packages to support dpkg-buildflags correctly. This is a release goal for wheezy (http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags), so it's reasonable to expect Debian package maintainers to take patches for this. Any other comments? -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
