Thanks to both of you, Andreas and Nicolas, for the fast help! Then I can upload soon.
Best regards, Jan Und es begab sich am 28.05.2012 22:30, dass Nicolas Bourdaud schrieb: > Hi Jan, > > On 28/05/2012 20:54, Jan Beyer wrote: >> Lintian complains several times similar to this: ---------- W: >> gwyddion: hardening-no-stackprotector >> usr/lib/gwyddion/modules/file/ambfile.so N: N: This package >> provides an ELF binary that lacks the stack protector N: function >> __stack_chk_fail. Either there are no character arrays used on N: >> the stack of any routines, or the package was not built with the >> default N: Debian compiler flags defined by dpkg-buildflags. If >> built using N: dpkg-buildflags directly, be sure to import CFLAGS >> and/or CXXFLAGS. N: N: Refer to http://wiki.debian.org/Hardening >> for details. ---------- >> >> When looking at the relevant section of the build-log, I feel, that >> the -fstack-protector option is given during compile: >> >> ---------- # source='ambfile.c' object='ambfile.lo' libtool=yes >> /bin/bash ../../libtool --tag=CC --mode=compile gcc >> -DHAVE_CONFIG_H -I. -I../.. -I../.. -DG_LOG_DOMAIN=\"Module\" >> -D_FORTIFY_SOURCE=2 -Wall -W [...] -O2 -fstack-protector >> --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall -c >> -o ambfile.lo ambfile.c [...] Is it okay to ignore the Lintian >> warning (maybe its logic is not quite perfect?) or do I need to do >> something to really implement this correctly? There are also some >> more lintian warnings concerning hardening-no-fortify-functions, but >> I think, once I understood the above, these ones should work >> similar. > > Don't worry the hardening is effectively enabled but there is a lot of > false positives in those checks. As explained by the warning, if your > library does not use any routine that is eligible for being protected > by the stack protector, the lintian check will misinterpret the library > as being unprotected. The same applies for fortify-functions. > > As you have correctly noted, the two hardening flags are set in the > compilation (I have kept three lines that shows it). So you can safely > ignore the warnings. > > Cheers, > > Nicolas > > -- Jan Beyer happy Debian Maintainer ;-) mail [email protected] GPG key ID 0x0CA6B4AA jabber [email protected] web http://www.beathovn.de/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
