[debian-mysql] How to replace the deprecated hardening-wrapper for MySQL and MariaDB packages properly?

Otto Kekäläinen otto at seravo.fi
Sun Sep 14 15:14:18 UTC 2014


Hello!

We already touched this, but there wasn't much response so I'll try to
get your attention again about how to correctly replace
hardening-wrapper in packages mysql-5.5, mysql-5.6, mariadb-5.5 and
mariadb-10.0 (or maybe we can skip the 5.5 versions if upgrades
progress soon).

2014-09-01 18:41 GMT+03:00 Otto Kekäläinen <otto at seravo.fi>:
> 2014-09-01 17:51 GMT+03:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
>>> Now running lintian...
>>> E: mysql-5.6 source: build-depends-on-obsolete-package build-depends:
>>> hardening-wrapper => use dpkg-buildflags instead
>>
>>
>> I tried reading the documentation. If I understand correctly, since
>> we're using dh v9, we don't need to do anything about this, except
>> removing the hardening-wrapper dependency and DEB_BUILD_HARDENING=1
>> from debian/rules. Or am I mistaken? I didn't do anything about this
>> in the patch since I'm not sure.
>
> MariaDB has the same issue but I haven't figured out yet what is the
> proper solution. Please notify me if you figure out the officially
> correct way to fix this.


The most interesting documentation about this change is at
https://wiki.debian.org/Hardening#Notes_for_packages_using_CMake but
it is not straight-forward to apply to our mysql/mariadb packages.

I see that Björn addressed this these commits:
http://anonscm.debian.org/cgit/pkg-mysql/mysql-5.6.git/commit/?id=7715b754bdc78d55c01129a4640a856f6dd22c80
and
http://anonscm.debian.org/cgit/pkg-mysql/mysql-5.6.git/commit/?id=195daacf50f7e1a821c55ff06ca6c139c5ae5461

The main contents is here:

--- a/debian/rules
+++ b/debian/rules
@@ -1,9 +1,12 @@
#!/usr/bin/make -f
export DH_VERBOSE=1
-export DEB_BUILD_HARDENING=1
-PACKAGE:=mysql-5.6
+# enable Debian Hardening
+# see: https://wiki.debian.org/Hardening
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk


I got a patch on Friday from Steffen Möller that suggests this:

--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,9 @@

 export DH_VERBOSE=1
 export DEB_BUILD_HARDENING=1
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+export CPPFLAGS CFLAGS LDFLAGS

What do you think of these changes? At least the lines
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
are correct, but why are they not exported when DH_VERBOSe and DEB_* are?

Is there any tool we can use to test/scan binaries if their memory
addressing is fixed or hardened?

Björn added dpkg-dev into the build-deps, but dpkg-dev is in
build-essential, so it does not need to be defined, right?


Thanks for those who reply and add confidence that we are doing the
correct changes here!


- Otto



More information about the pkg-mysql-maint mailing list