On Mon, Aug 19, 2013 at 1:47 AM, Vincent Bernat <ber...@debian.org> wrote:
> ❦ 19 août 2013 09:56 CEST, Tom Lee <deb...@tomlee.co> : > > >> - The hardening stuff does not seem to work correctly. Maybe you could > >> just try with debhelper 9 and debian/compat to 9 to have them apply > >> automatically. > >> > >> > > Happy to try compat 9, but what can I do to verify that the hardening > stuff > > has been fixed? I mean, what's telling you that it's not working > correctly? > > Maybe I need to go reading more documentation. > > The easiest way is to use Lintian (I use it with -viI). > > Odd, I don't see any warnings: tom@desktop:~/Source$ lintian -viI capnproto_0.2.0-1.dsc N: Using profile debian/main. N: Setting up lab in /tmp/temp-lintian-lab-q9W0nEVK6F ... N: Unpacking packages in group capnproto/0.2.0-1 N: ---- N: Processing source package capnproto (version 0.2.0-1, arch source) ... I also see what looks like hardening-related CXXFLAGS during the build. Stuff like this: -D_FORTIFY_SOURCE=2 -I./src -I./src -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security The warning appears on mentors.debian.net: http://mentors.debian.net/package/capnproto Maybe related to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673112#10 Based on this bug & assuming you can see the _FORTIFY_SOURCE etc. during your build I'd be inclined to add another override for this -- what do you think? Weird I can't reproduce it locally. > >> - You use --with python2. I don't see any Python files in the resulting > >> packages. Therefore, you don't need to use dh_python2. I suppose > >> Python is only used in tests. Just keep it as a Build-Depends. > >> > >> > > I can do that, but without it I think I was getting a warning about > > python-support being deprecated & I should use --with python2 to "fix" > it. > > I'll try it again tomorrow to be sure, but is that safe enough to ignore? > > Easy enough either way. > > Well, you shouldn't get this warning. Maybe it was here because you were > build-depending on python-support? > Doesn't seem that way. From the control file: Build-Depends: debhelper (>= 8.0.0), gcc (>= 4.7), python-all (>= 2.6), dpkg-dev (>= 1.16.1.1), docbook-xsl, docbook-xml, xsltproc, autotools-dev Removed --with python2 from debian/rules and I see this near the end of the build: ... dh_install dh_installdocs dh_installchangelogs dh_installman dh_pysupport dh_pysupport: This program is deprecated, you should use dh_python2 instead. Migration guide: http://deb.li/dhs2p dh_lintian dh_perl dh_link dh_compress dh_fixperms dh_strip dh_makeshlibs ... Adding --with python2 back in makes the warning go away. I'm not really sure I understand why the Python debhelper stuff is being invoked at all, so I'm happy to go with whatever you feel is best here. Cheers, Tom > -- > if (user_specified) > /* Didn't work, but the user is convinced this is the > * place. */ > 2.4.0-test2 /usr/src/linux/drivers/parport/parport_pc.c > -- *Tom Lee */ http://tomlee.co / @tglee <http://twitter.com/tglee>
