Bug#657853: Building perl with hardened build flags
Niko Tyni
ntyni at debian.org
Tue Feb 21 11:38:07 UTC 2012
On Fri, Feb 17, 2012 at 12:36:21PM +0200, Niko Tyni wrote:
(cc's trimmed for the implementation details)
> If we have consensus on that, the way forward as I see it:
Dominic, I'm not sure if you're fine with that plan?
> - prepare a perl upload in unstable that is built with the hardened flags
> but doesn't export them through Config.pm
Here's my first try at this. It works, but I'm not really happy with it.
My hack time is fairly limited ATM and I haven't got any further just
by glaring at it, so it's probably better to share this anyway.
Problems/thoughts:
- we're invoking dpkg-buildflags in two places (debian/rules and
debian/config.debian), and if the invocations go out of sync we get
a silent failure.
- not sure if we should blindly remove the dpkg-buildflags output
from every line in Config_heavy.pm or just the ones we care about
(i.e. ccflags, ld(dl?)flags)
- should we be defensive against a situation where dpkg-buildflags
returns something short and generic (like " " or "-g")? If we should,
the "blindly" part above becomes much less attractive
- I'd love to delegate the -Doptimize handling to dpkg-buildflags
instead of doing it manually, but that way we end up stripping the
default optimize flags from Perl modules in the same way as the
hardening flags, which is probably not good.
Ideas/patches welcome.
--
Niko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Massage-Config_heavy.pm-after-the-build-to-remove-dp.patch
Type: text/x-diff
Size: 1823 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20120221/43ca16e4/attachment.patch>
More information about the Perl-maintainers
mailing list