Considering removing flags export from dpkg-buildpackage for quantal

Colin Watson cjwatson at ubuntu.com
Mon Apr 30 17:17:56 UTC 2012 

On Sat, Apr 28, 2012 at 01:39:54AM +0100, Colin Watson wrote:
> I'm therefore currently building all of precise/main in a couple of
> amd64 cloud instances with our hack removed from dpkg-buildpackage in
> the build chroot, with the intention of checking for any build failures,
> but also of extracting all the resulting shared libraries, running
> 'objdump -R' over them, and comparing against the corresponding shared
> libraries in the archive.  That should give us a general idea of how
> much work it will be to ensure that all shared libraries continue to be
> built with -Wl,-Bsymbolic-functions (except where that had already been
> disabled for one reason or another).  I hope to be able to report on
> this after the weekend.

Due to something unfortunate that happened to one of the instances, I
can't give a full report on this quite yet.  However, the preliminary
results I saw were enough to make me content with removing this hack for
quantal.  The executive summary is:

 * Somewhere in the area of 10% of binary packages in main show differences
   in 'objdump -R' output suggesting that -Wl,-Bsymbolic-functions may have
   been dropped.

 * A small number of packages do something like CFLAGS +=
   $(HARDENING_CFLAGS) in debian/rules, assuming that it's already exported,
   and as a result lose hardening or other flags.  openbsd-inetd is the only
   instance of this I've spotted so far, and I fixed that; please check your
   Ubuntu-specific changes for this kind of problem with flags that wouldn't
   show up in hardening-check.

 * A fairly substantial number of packages lose optimisation options, which
   is most easily noticed by them losing fortify protection according to
   hardening-check, and occasionally stack protection on some binaries as
   well.  These packages will be building without optimisation in Debian
   too, and thus whatever number I produce should be close to an upper
   bound.

 * I was building in a modified precise chroot; quantal will do better due
   to debhelper and cdbs changes.

So we will have some work to do, but I think it's tractable.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-devel mailing list