Considering removing flags export from dpkg-buildpackage for quantal
Colin Watson
cjwatson at ubuntu.com
Sat Apr 28 00:39:54 UTC 2012
On #ubuntu-release today we've been discussing the possibility of
removing our hack from dpkg-buildpackage that exports the default output
of dpkg-buildflags in the environment. This was an ugly hack to start
with, and some months ago we had to make it even more ugly temporarily
(https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034351.html),
but on the general understanding that we would revert the whole lot
after 12.04 and start relying on dpkg-buildflags.
The effects of this change require some analysis; they were certainly
not obvious to me. Many of the default flags set by dpkg-buildflags are
in fact already the defaults in Ubuntu's compiler:
-fstack-protector --param=ssp-buffer-size=4
-D_FORTIFY_SOURCE=2
-Wformat -Wformat-security
-Wl,-z,relro
-Werror=format-security is output by dpkg-buildflags, but we filter that
out in the dpkg-buildpackage export hack at the moment to avoid causing
lots of build failures in unsuspecting packages.
The last remaining issue for default builds is therefore
-Wl,-Bsymbolic-functions. This is subtle: we use it (IIRC) as a
performance improvement for shared libraries, and I wouldn't like that
to regress. It's not trivial to detect whether a library has been built
that way, but after some fiddling I noticed that it shows up in the
output of 'objdump -R': a library built with -Wl,-Bsymbolic-functions
has more entries there.
I'm therefore currently building all of precise/main in a couple of
amd64 cloud instances with our hack removed from dpkg-buildpackage in
the build chroot, with the intention of checking for any build failures,
but also of extracting all the resulting shared libraries, running
'objdump -R' over them, and comparing against the corresponding shared
libraries in the archive. That should give us a general idea of how
much work it will be to ensure that all shared libraries continue to be
built with -Wl,-Bsymbolic-functions (except where that had already been
disabled for one reason or another). I hope to be able to report on
this after the weekend.
The other likely effect of removing this export hack is that putting
hardening options in DEB_BUILD_OPTIONS might start working differently.
However, this only affects local builds, and it can be fixed by
modifying packages to support dpkg-buildflags correctly. This is a
release goal for wheezy
(http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags), so
it's reasonable to expect Debian package maintainers to take patches for
this.
Any other comments?
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-devel
mailing list