On Sat, Apr 28, 2012 at 01:39:54AM +0100, Colin Watson wrote: > I'm therefore currently building all of precise/main in a couple of > amd64 cloud instances with our hack removed from dpkg-buildpackage in > the build chroot, with the intention of checking for any build failures, > but also of extracting all the resulting shared libraries, running > 'objdump -R' over them, and comparing against the corresponding shared > libraries in the archive. That should give us a general idea of how > much work it will be to ensure that all shared libraries continue to be > built with -Wl,-Bsymbolic-functions (except where that had already been > disabled for one reason or another). I hope to be able to report on > this after the weekend.
Due to something unfortunate that happened to one of the instances, I can't give a full report on this quite yet. However, the preliminary results I saw were enough to make me content with removing this hack for quantal. The executive summary is: * Somewhere in the area of 10% of binary packages in main show differences in 'objdump -R' output suggesting that -Wl,-Bsymbolic-functions may have been dropped. * A small number of packages do something like CFLAGS += $(HARDENING_CFLAGS) in debian/rules, assuming that it's already exported, and as a result lose hardening or other flags. openbsd-inetd is the only instance of this I've spotted so far, and I fixed that; please check your Ubuntu-specific changes for this kind of problem with flags that wouldn't show up in hardening-check. * A fairly substantial number of packages lose optimisation options, which is most easily noticed by them losing fortify protection according to hardening-check, and occasionally stack protection on some binaries as well. These packages will be building without optimisation in Debian too, and thus whatever number I produce should be close to an upper bound. * I was building in a modified precise chroot; quantal will do better due to debhelper and cdbs changes. So we will have some work to do, but I think it's tractable. -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
