[med-svn] r10820 - in trunk/packages/ncbi-blast+/trunk/debian: . patches

Aaron M. Ucko ucko at alioth.debian.org
Fri May 11 03:32:08 UTC 2012 

Author: ucko
Date: 2012-05-11 03:32:08 +0000 (Fri, 11 May 2012)
New Revision: 10820

Added:
   trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps
Modified:
   trunk/packages/ncbi-blast+/trunk/debian/changelog
   trunk/packages/ncbi-blast+/trunk/debian/control
   trunk/packages/ncbi-blast+/trunk/debian/patches/series
   trunk/packages/ncbi-blast+/trunk/debian/rules
Log:
ncbi-blast+: Enable full hardening flags, introducing a small patch
(use_pie_for_apps) to reflect the need to build executables and
libraries differently.


Modified: trunk/packages/ncbi-blast+/trunk/debian/changelog
===================================================================
--- trunk/packages/ncbi-blast+/trunk/debian/changelog	2012-05-11 03:29:27 UTC (rev 10819)
+++ trunk/packages/ncbi-blast+/trunk/debian/changelog	2012-05-11 03:32:08 UTC (rev 10820)
@@ -10,6 +10,9 @@
     - Use modern syntax for making protected base members public.
     - Add forward declarations as needed.
   * Wrap and sort build dependencies to ease maintenance thereof.
+  * Enable full hardening flags, introducing a small patch
+    (use_pie_for_apps) to reflect the need to build executables and
+    libraries differently.
   
   [ Andreas Tille ]
   * debian/control: Modernize Vcs-* fields.

Modified: trunk/packages/ncbi-blast+/trunk/debian/control
===================================================================
--- trunk/packages/ncbi-blast+/trunk/debian/control	2012-05-11 03:29:27 UTC (rev 10819)
+++ trunk/packages/ncbi-blast+/trunk/debian/control	2012-05-11 03:32:08 UTC (rev 10820)
@@ -3,6 +3,7 @@
 Priority: optional
 Build-Depends: autotools-dev (>= 20100122),
                debhelper (>= 7.0.50~),
+	       dpkg-dev (>= 1.16.1),
                libboost-test-dev,
                libbz2-dev,
                libc0.3-dev (>= 2.13-9~) [hurd-i386],

Modified: trunk/packages/ncbi-blast+/trunk/debian/patches/series
===================================================================
--- trunk/packages/ncbi-blast+/trunk/debian/patches/series	2012-05-11 03:29:27 UTC (rev 10819)
+++ trunk/packages/ncbi-blast+/trunk/debian/patches/series	2012-05-11 03:32:08 UTC (rev 10820)
@@ -4,3 +4,4 @@
 no_multiarch_rpath
 wrong_path_to_touch.patch
 fix_gcc47_errors
+use_pie_for_apps

Added: trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps
===================================================================
--- trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps	                        (rev 0)
+++ trunk/packages/ncbi-blast+/trunk/debian/patches/use_pie_for_apps	2012-05-11 03:32:08 UTC (rev 10820)
@@ -0,0 +1,20 @@
+Subject: build executables with -fPIE, not -fPIC
+
+* -fPIC is only useful for shared libraries; substitute -fPIE (to be
+   accompanied by appropriate APP_LDFLAGS) when building executables.
+
+Author: Aaron M. Ucko <ucko at debian.org>
+Last-Update: 2012-05-10
+--- a/c++/src/build-system/Makefile.app.in
++++ b/c++/src/build-system/Makefile.app.in
+@@ -24,8 +24,8 @@
+ 
+ ### C/C++ source file compilation (and maybe auto-dependencies) build rules
+ 
+-CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
+-CFLAGS_ALL   = @f_compile@ $(CFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
++CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
++CFLAGS_ALL   = @f_compile@ $(CFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
+ SOURCES      = @UNIX_SRC@ $(SRC)
+ include $(builddir)/Makefile.$(Rules)
+ 

Modified: trunk/packages/ncbi-blast+/trunk/debian/rules
===================================================================
--- trunk/packages/ncbi-blast+/trunk/debian/rules	2012-05-11 03:29:27 UTC (rev 10819)
+++ trunk/packages/ncbi-blast+/trunk/debian/rules	2012-05-11 03:32:08 UTC (rev 10820)
@@ -7,7 +7,7 @@
 DEB_CONFIGURE_EXTRA_FLAGS=--with-dll --with-mt --without-autodep \
     --without-makefile-auto-update --with-flat-makefile --without-caution \
     --without-dbapi --without-lzo --with-runpath=/usr/lib/ncbi-blast+ \
-    --with-build-root=BUILD LDFLAGS='-Wl,--as-needed -Wl,--enable-new-dtags'
+    --with-build-root=BUILD
 proj=algo/blast/ app/ objmgr/ objtools/align_format/ objtools/blast/
 
 # XXX - not quite right, as we get -DNDEBUG vs. -D_DEBUG
@@ -17,12 +17,21 @@
 DEB_CONFIGURE_EXTRA_FLAGS += --with-optimization
 endif
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
+
 DEB_HOST_ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH)
+
+CFLAGS   := $(shell dpkg-buildflags --get CFLAGS)
+CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS)
+CXXFLAGS := $(shell dpkg-buildflags --get CXXFLAGS)
+LDFLAGS  := $(shell dpkg-buildflags --get LDFLAGS) -Wl,--as-needed
+
 ifneq (,$(findstring mips,$(DEB_HOST_ARCH)))
-DEB_CONFIGURE_EXTRA_FLAGS += CXXFLAGS=-O FAST_CXXFLAGS=-O
+CXXFLAGS := $(CXXFLAGS:-O%=-O)
+DEB_CONFIGURE_EXTRA_FLAGS += FAST_CXXFLAGS=-O
 endif
 
-export MAKE
+export CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MAKE
 
 llp=LD_LIBRARY_PATH
 override_dh_auto_configure:
@@ -30,7 +39,9 @@
 	    CONFIG_SHELL=/bin/bash ./configure $(DEB_CONFIGURE_EXTRA_FLAGS)
 
 override_dh_auto_build:
-	cd c++/BUILD/build  &&  make -f Makefile.flat all_projects="$(proj)"
+	cd c++/BUILD/build  && \
+	    make -f Makefile.flat all_projects="$(proj)" \
+	      APP_LDFLAGS='-Wl,-E -fPIE -pie'
 
 override_dh_auto_test:
 	-dh_auto_test
@@ -65,7 +76,7 @@
 		`basename $$x .files`.module purge_sources); \
 	done
 	rm -rf c++/BUILD c++/compilers/dll c++/config.log c++/Makefile
-	rm -f c++/src/objects/blastxml/blastxml.module
+	rm -f c++/configure.lineno c++/src/objects/blastxml/blastxml.module
 
 %:
 	dh $@ -Dc++ --with autotools_dev --with quilt

More information about the debian-med-commit mailing list