Considering removing flags export from dpkg-buildpackage for quantal

Colin Watson cjwatson at ubuntu.com
Sat Apr 28 00:39:54 UTC 2012 

On #ubuntu-release today we've been discussing the possibility of
removing our hack from dpkg-buildpackage that exports the default output
of dpkg-buildflags in the environment.  This was an ugly hack to start
with, and some months ago we had to make it even more ugly temporarily
(https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034351.html),
but on the general understanding that we would revert the whole lot
after 12.04 and start relying on dpkg-buildflags.

The effects of this change require some analysis; they were certainly
not obvious to me.  Many of the default flags set by dpkg-buildflags are
in fact already the defaults in Ubuntu's compiler:

  -fstack-protector --param=ssp-buffer-size=4
  -D_FORTIFY_SOURCE=2
  -Wformat -Wformat-security
  -Wl,-z,relro

-Werror=format-security is output by dpkg-buildflags, but we filter that
out in the dpkg-buildpackage export hack at the moment to avoid causing
lots of build failures in unsuspecting packages.

The last remaining issue for default builds is therefore
-Wl,-Bsymbolic-functions.  This is subtle: we use it (IIRC) as a
performance improvement for shared libraries, and I wouldn't like that
to regress.  It's not trivial to detect whether a library has been built
that way, but after some fiddling I noticed that it shows up in the
output of 'objdump -R': a library built with -Wl,-Bsymbolic-functions
has more entries there.

I'm therefore currently building all of precise/main in a couple of
amd64 cloud instances with our hack removed from dpkg-buildpackage in
the build chroot, with the intention of checking for any build failures,
but also of extracting all the resulting shared libraries, running
'objdump -R' over them, and comparing against the corresponding shared
libraries in the archive.  That should give us a general idea of how
much work it will be to ensure that all shared libraries continue to be
built with -Wl,-Bsymbolic-functions (except where that had already been
disabled for one reason or another).  I hope to be able to report on
this after the weekend.

The other likely effect of removing this export hack is that putting
hardening options in DEB_BUILD_OPTIONS might start working differently.
However, this only affects local builds, and it can be fixed by
modifying packages to support dpkg-buildflags correctly.  This is a
release goal for wheezy
(http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags), so
it's reasonable to expect Debian package maintainers to take patches for
this.

Any other comments?

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-devel mailing list