Package: spek Version: 0.8.0-1 Severity: normal Tags: patch Dear Maintainer,
All hardening flags were lost in the 0.8.0-1 update because the
package was switched to dh without raising the compat level to 9.
CDBS automatically enabled them, but with dh compat=9 is required
for hardening flags. For more hardening information please have a
look at [1], [2] and [3].
The following patch fixes the issue, it also enables verbose
builds to allow tools to detect missing hardening flags
automatically:
diff -Nru spek-0.8.0/debian/compat spek-0.8.0/debian/compat
--- spek-0.8.0/debian/compat 2011-03-15 12:53:20.000000000 +0100
+++ spek-0.8.0/debian/compat 2012-09-29 13:40:57.000000000 +0200
@@ -1 +1 @@
-7
+9
diff -Nru spek-0.8.0/debian/rules spek-0.8.0/debian/rules
--- spek-0.8.0/debian/rules 2012-09-25 19:00:52.000000000 +0200
+++ spek-0.8.0/debian/rules 2012-09-29 13:37:12.000000000 +0200
@@ -1,4 +1,6 @@
#!/usr/bin/make -f
+export V=1
+
%:
dh $@
To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log with `blhc` (hardening-check doesn't catch
everything):
$ hardening-check /usr/bin/spek
/usr/bin/spek:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, only unprotected functions found!
Read-only relocations: yes
Immediate binding: no not found!
(Position Independent Executable and Immediate binding is not
enabled by default.)
Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
