Bug#657853: Please enable hardened build flags
Moritz Mühlenhoff
jmm at inutil.org
Mon Feb 6 18:44:15 UTC 2012
On Mon, Feb 06, 2012 at 06:47:57PM +0200, Niko Tyni wrote:
> On Mon, Feb 06, 2012 at 08:55:25AM +0200, Niko Tyni wrote:
> > On Sun, Feb 05, 2012 at 10:28:55PM +0000, Dominic Hargreaves wrote:
> > > On Sun, Feb 05, 2012 at 08:44:15PM +0200, Niko Tyni wrote:
> > > > On Sun, Jan 29, 2012 at 02:02:31PM +0100, Moritz Muehlenhoff wrote:
> > > > > Package: perl
> > > > > Version: 5.14.2-6
> > > > > Severity: important
> > > > >
> > > > > Please enable hardened build flags through dpkg-buildflags.
> > > >
> > > > While perl builds fine on amd64 with the attached patch, I'm slightly
> > > > uneasy about pushing it to unstable without wider testing.
> > >
> > > Have you verified the output from hardening-flags before and after,
> > > both of perl and of a sample XS module (I used libimager-perl as a test).
> >
> > No - I just checked the build log, $Config{ccflags} and the like.
> >
> > Will do that when I have the time.
>
> Looks good to me FWIW:
[..]
Looks good, yes.
> > Putting the ldflags into lddlflags along with -shared is rather ugly,
> > but I couldn't come up with anything better.
>
> BTW, I see we'd have a hard time to be compatible with
> DEB_BUILD_MAINT_OPTIONS=hardening=+pie.
> since most of the flags end up in -fPIC shared builds one way
> or another.
Libtool handles this gracefully, see
http://permalink.gmane.org/gmane.linux.debian.devel.general/168849
Right now -pie is not in the default set of hardening flags
for Wheezy. It will likely be enabled after Wheezy at least for
amd64 and other archs with sufficient registers, so setting
hardening=-pie can't hurt.
Cheers,
Moritz
More information about the Perl-maintainers
mailing list