[Debian-med-packaging] librcsb-core-wrapper read for inspection

Jakub Wilk jwilk at debian.org
Mon Aug 20 14:10:47 UTC 2012 

* Laszlo Kajan <lkajan at rostlab.org>, 2012-08-17, 18:50:
>>Lintian says:
>> 
>>W: python-librcsb-core-wrapper: hardening-no-fortify-functions usr/lib/python2.6/dist-packages/CorePyWrap.so
>>W: python-librcsb-core-wrapper: hardening-no-fortify-functions usr/lib/python2.7/dist-packages/CorePyWrap.so
>> 
>>which might be false-positive, but on the other hand blhc seems to confirm that *FLAGS are lost somewhere:
>> 
>>CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security): libtool --mode=compile gcc
>>-D_FORTIFY_SOURCE=2 -O  -fPIC    -DHAVE_STRCASECMP -DINCL_TEMPLATE_SRC -DHAVE_PLACEMENT_NEW  -I./include -I../include    -DPOSIX_MISTAKE -c
>>src/regcomp.c -o ./obj/regcomp.o
>>[snip - more complaints about CFLAGS missing]
>>LDFLAGS missing (-Wl,-z,relro): g++ -D_FORTIFY_SOURCE=2  -w -L/usr/lib obj/xml2mmcif.o ../lib/pdbml-parser.a ../lib/dict-obj-file.a
>>../lib/cif-file-util.a ../lib/cif-file.a ../lib/cifparse-obj.a ../lib/tables.a ../lib/common.a ../lib/regex.a -lxerces-c  -lm -o ./bin/xml2mmcif
>
>Ok, I tried to address this. svn-buildpackage | tee ... blhc does not 
>report anything for me now. The gcc/g++ lines look right to my eyes. 
>But I still get the lintian warning! *What can I do now?*

Run away screaming? Wait, no, maybe not. ;)

In my experience, blhc is much more reliable than lintian. So most 
likely hardening-no-fortify-functions is a false-positive.

>>It's customary to build extension modules also with python2.X-dbg 
>>interpreters, and put them into a separate python-foo-dbg package. If 
>>you build-depend on python-all-dbg then dh_auto_* will do most of the 
>>work for you. (It's a feature added in debhelper 7.3.5, so you should 
>>bump debhelper build-dependency if you decide to use it.)
>
>Ok, I added this. Building the wrapper (the binding) is painfully 
>slow... it's a pity the four versions of this module can not be built 
>in parallel.

They probably can, it's just somebody has to write code to make that 
happen. See e.g. how gamera[0] does this. Or you could write a patch to 
debhelper, so that dh_auto_build takes care of parallel building 
automatically. :)


[0] http://anonscm.debian.org/viewvc/python-modules/packages/gamera/trunk/debian/rules?revision=22402&view=markup

-- 
Jakub Wilk

More information about the Debian-med-packaging mailing list