[Aptitude-devel] aptitude 0.6.6-1 available on mentors.d.n

Axel Beckert abe at debian.org
Tue Mar 27 23:03:51 UTC 2012 

Hi,

Manuel A. Fernandez Montecelo wrote:
> 2012/3/27 Axel Beckert <abe at debian.org>:
> >> These are used only by the dh commands in debian/rules and
> >> so work fine.
> >
> > And it actually FTBFS if you add the "export".
> 
> FTBFS?

Yes.

I took the current package from mentors, built it in pbuilder. Built
fine. Added just the "export" in front of that line and it FTBFS at
dh_auto_configure (in pbuilder again). I removed the "export" again
and it built fine again.

I didn't investigate further why, but I expect that to be should
reproducible.

> Dunno, but I'm not the only one using exports:
>
> http://web.dodds.net/~vorlon/wiki/blog/Debian:_not_stale_just_hardened/
> http://wiki.debian.org/HardeningWalkthrough
> http://wiki.debian.org/Hardening
> 
> And even:
> http://anonscm.debian.org/loggerhead/apt/debian-sid/annotate/head:/debian/rules

It's also in the dpkg-buildflags man page, yes.

> Maybe I'm missing something and DEB_BUILD_MAINT_OPTIONS case is
> different than other environment vars related with hardening like the
> compiler flags,

Partially, according dpkg tohe -buildflags man page. But not at that
point AFAICS.

> or maybe the export has been deprecated or rendered unnecessary, or
> never required but all of these documents/folks do it even if it's
> not necessary... but I don't think that using "export" is wrong at
> all and much less causes FTBFS.

It did cause a FTBFS for me. So I definitely upload (very soon)
without it.

But I aggree that we should investigate potential differences this may
cause, especially the differences in build logs with and without as
well as checking the results with hardening-check from the
hardening-includes package. (Once it builds with it. ;-)

> Another thing is if, with the current aptitude debian/rules is
> necessary or not.  I just wanted to raise awareness in the case that
> it was an issue and the hardening was actually not happening.

Valid point. At least some hardening happened:

hardening-check /usr/bin/aptitude-curses 
/usr/bin/aptitude-curses:
 Position Independent Executable: no, normal executable!
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no not found!

Doesn't look perfect though as I'd have expected PIE there.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

More information about the Aptitude-devel mailing list