Enabling hardened build flags for Perl modules
jmm at inutil.org
Mon Jan 2 19:40:01 UTC 2012
On Sun, Jan 01, 2012 at 08:06:34PM -0800, Russ Allbery wrote:
> Moritz Muehlenhoff <jmm at debian.org> writes:
> > Security-hardened build flags are a release goal for Wheezy:
> > http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
> > I've been looking into all the packages, which had a DSA in the
> > last 5 years and started to submit patches.
> > Since the Debian Perl Group maintains most Perl modules I'd like
> > to discuss how to enable hardened build flags for those modules,
> > which are arch:any.
> > Most of the modules seem to have been converted to dh. When
> > run in debian/compat mode 9, dh automatically injects the
> > hardened build flags emitted by dpkg-buildflags:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=544844
> I replied to you along the same lines privately about rssh, but one of my
> concerns (not that I'm at all active in the pkg-perl group at the moment,
> so please weigh this accordingly) is that debhelper compat levle 9 is not
> finalized yet yet and is experimental. Presumably Joey is doing that for
> a good reason. It would be a lot more comfortable to switch to dh 9 after
> debhelper 9 has been released, rather than still able to undergo
> non-backward-compatible changes.
[This is not directly related to pkg-perl, since all these modules
are mostly alike, there's also the possibility of enabling hardened
build flags for Perl modules based on compat level 8]
There have been many packages, which converted to compat level 9
(my gut feeling 150-200) already and the first build flags code
is available since nearly half a year. It's working find and while
there are always refinements there can hardly be massive changes anymore.
The freeze is only five months away and I'd rather see people
going forward with a straighforward solution than letting them
inject build flags on their own (which many people fail to do
properly: Before I started to submit patches last week, there
have been very few maintainers, who figured out how to enable
hardened build flags properly).
More information about the pkg-perl-maintainers