Enabling hardened build flags for Perl modules

Russ Allbery rra at debian.org
Mon Jan 2 20:03:22 UTC 2012


It seems like Alioth is blocking my mail for some reason (there's some
sort of odd bug in policyd that has done this before), so not sure if this
will make it to the list.

Moritz Mühlenhoff <jmm at inutil.org> writes:
> On Sun, Jan 01, 2012 at 08:06:34PM -0800, Russ Allbery wrote:

>> I replied to you along the same lines privately about rssh, but one of
>> my concerns (not that I'm at all active in the pkg-perl group at the
>> moment, so please weigh this accordingly) is that debhelper compat
>> levle 9 is not finalized yet yet and is experimental.  Presumably Joey
>> is doing that for a good reason.  It would be a lot more comfortable to
>> switch to dh 9 after debhelper 9 has been released, rather than still
>> able to undergo non-backward-compatible changes.

> [This is not directly related to pkg-perl, since all these modules are
> mostly alike, there's also the possibility of enabling hardened build
> flags for Perl modules based on compat level 8]

True.

> There have been many packages, which converted to compat level 9 (my gut
> feeling 150-200) already and the first build flags code is available
> since nearly half a year. It's working find and while there are always
> refinements there can hardly be massive changes anymore.

Yes, but that's not the part that I'm concerned about.  I'm sure the
hardening flags component is fine.  But, because debhelper compatibility
level 9 is experimental, Joey reserves the right to add more stuff to it
(possibly completely unrelated to hardening flags), including changes that
may not be backward-compatible.

I realize that a bunch of people have switched already, largely because of
multiarch, but it would be nice not to make the problem larger.

> The freeze is only five months away and I'd rather see people going
> forward with a straighforward solution than letting them inject build
> flags on their own (which many people fail to do properly: Before I
> started to submit patches last week, there have been very few
> maintainers, who figured out how to enable hardened build flags
> properly).

I'd just feel a lot better if you could get Joey to make compat level 9
non-experimental so that we know that there won't be changes to debhelper
that could result in FTBFS problems or the like between now and the
freeze.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the pkg-perl-maintainers mailing list