[ogdi-dfsg] 11/19: Enable all hardening buildflags, except PIE (causes build failure).

Sebastiaan Couwenberg sebastic at moszumanska.debian.org
Sun Apr 3 00:13:17 UTC 2016 

This is an automated email from the git hooks/post-receive script.

sebastic pushed a commit to branch master
in repository ogdi-dfsg.

commit b051fb01a08db843d80ad882156561afcbcf35de
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date:   Sat Apr 2 22:55:29 2016 +0200

    Enable all hardening buildflags, except PIE (causes build failure).
---
 debian/changelog                    |  1 +
 debian/libogdi3.2.lintian-overrides |  4 ++++
 debian/ogdi-bin.lintian-overrides   |  3 +++
 debian/patches/hardening            | 28 ++++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 debian/rules                        |  4 ++++
 6 files changed, 41 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 81eb043..3747f3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,7 @@ ogdi-dfsg (3.2.0~beta2-8) UNRELEASED; urgency=medium
   * Bump debhelper compatibility to 9.
   * Use minimal dh rules with autoreconf.
   * Don't treat format-security as an error, causes build failure.
+  * Enable all hardening buildflags, except PIE (causes build failure).
 
  -- Bas Couwenberg <sebastic at debian.org>  Sat, 02 Apr 2016 21:13:49 +0200
 
diff --git a/debian/libogdi3.2.lintian-overrides b/debian/libogdi3.2.lintian-overrides
new file mode 100644
index 0000000..df455d5
--- /dev/null
+++ b/debian/libogdi3.2.lintian-overrides
@@ -0,0 +1,4 @@
+# Build uses -D_FORTIFY_SOURCE=2, but hardening-check reports:
+#  Fortify Source functions: no, only unprotected functions found!
+libogdi3.2: hardening-no-fortify-functions *
+
diff --git a/debian/ogdi-bin.lintian-overrides b/debian/ogdi-bin.lintian-overrides
new file mode 100644
index 0000000..daedacc
--- /dev/null
+++ b/debian/ogdi-bin.lintian-overrides
@@ -0,0 +1,3 @@
+# PIE breaks the build
+ogdi-bin: hardening-no-pie *
+
diff --git a/debian/patches/hardening b/debian/patches/hardening
new file mode 100644
index 0000000..b411563
--- /dev/null
+++ b/debian/patches/hardening
@@ -0,0 +1,28 @@
+Description: Include hardening buidflags from the environment.
+Author: Bas Couwenberg <sebastic at debian.org>
+
+--- a/config/unix.mak
++++ b/config/unix.mak
+@@ -88,19 +88,19 @@ $(ARCHGEN): $(OBJECTS)
+ 
+ $(PROGGEN): $(OBJECTS)
+ 	@echo Making executable: $@
+-	$(LD) $(COMMON_LDFLAGS) $(COMMON_CFLAGS) -o $@ $^ $(LINK_LIBS)
++	$(LD) $(COMMON_LDFLAGS) $(LDFLAGS) $(COMMON_CFLAGS) -o $@ $^ $(LINK_LIBS)
+ 	@echo $@ made successfully ...
+ 
+ $(SHRDGEN): $(OBJECTS)
+ 	@echo Making shared library: $@
+-	$(SHLIB_LD) $(SHLIB_LDFLAGS) $(COMMON_LDFLAGS) $(COMMON_CFLAGS) -Wl,-soname,$(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR).$(OGDI_MINOR) -o $(TOPDIR)/bin/$(TARGET)/$(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR).$(OGDI_MINOR) $^ $(LINK_LIBS) 
++	$(SHLIB_LD) $(SHLIB_LDFLAGS) $(COMMON_LDFLAGS) $(LDFLAGS) $(COMMON_CFLAGS) -Wl,-soname,$(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR).$(OGDI_MINOR) -o $(TOPDIR)/bin/$(TARGET)/$(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR).$(OGDI_MINOR) $^ $(LINK_LIBS) 
+ 	cd $(TOPDIR)/bin/$(TARGET); ln -s $(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR).$(OGDI_MINOR) $(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR); \
+ 	ln -s $(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT).$(OGDI_MAJOR) $(LIB_PREFIX)$(TOBEGEN).$(SHLIB_EXT); cd $(CURDIR)
+ 	@echo $@ made successfully ...
+ 
+ $(DYNAGEN): $(OBJECTS)
+ 	@echo Making dynamic library: $@
+-	$(SHLIB_LD) $(SHLIB_LDFLAGS) $(COMMON_LDFLAGS) $(COMMON_CFLAGS) -o $@ $^ $(LINK_LIBS) 
++	$(SHLIB_LD) $(SHLIB_LDFLAGS) $(COMMON_LDFLAGS) $(LDFLAGS) $(COMMON_CFLAGS) -o $@ $^ $(LINK_LIBS) 
+ 	@echo $@ made successfully ...
+ 
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 8a6ac1a..3d68cc0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ shared
 endianess
 hurd
 new_nad_init
+hardening
diff --git a/debian/rules b/debian/rules
index d2b33ee..570e51b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,7 +4,11 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+# Enable hardening build flags
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
+
 export TOPDIR=$(CURDIR)
+export CFG=debug
 
 # Don't treat format-security as an error, caused build failure.
 CFLAGS += -Wno-error=format-security

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/ogdi-dfsg.git

More information about the Pkg-grass-devel mailing list