• Lintian info message "hardening-no-bindnow" with vanilla debian/rules

    From Julian Gilbey@21:1/5 to All on Tue Aug 30 10:00:01 2022
    Hi!

    A package I maintain within the team (python3-pyxdameraulevenshtein)
    gives the following lintian message:

    I: python3-pyxdameraulevenshtein: hardening-no-bindnow [usr/lib/python3/dist-packages/pyxdameraulevenshtein.cpython-310-x86_64-linux-gnu.so]

    The debian/rules file is very bland, essentially:

    %:
    dh $@ --buildsystem=pybuild

    and there is nothing about CFLAGS or the like in the setup.py file.
    So if having this hardening flag enabled is a good thing, it should
    probably be enabled somewhere within the pybuild system, rather than
    every individual package with an extension file doing it.

    Or have I missed something?

    Best wishes,

    Julian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Gregor Riepl@21:1/5 to All on Tue Aug 30 19:40:01 2022
    I: python3-pyxdameraulevenshtein: hardening-no-bindnow [usr/lib/python3/dist-packages/pyxdameraulevenshtein.cpython-310-x86_64-linux-gnu.so]

    and there is nothing about CFLAGS or the like in the setup.py file.
    So if having this hardening flag enabled is a good thing, it should
    probably be enabled somewhere within the pybuild system, rather than
    every individual package with an extension file doing it.

    Hardening is generally a good thing, but can break code in subtle ways.
    I suppose that's why it was decided that enabling it by default in
    Debian was deemed too risky.

    Enabling it is quite easy, though: Just add

    export DEB_BUILD_MAINT_OPTIONS = hardening=+all

    near the top of your d/rules file. Some build systems may require
    additional flags, as documented here: https://wiki.debian.org/Hardening

    Also, note that hardening-no-bindnow is an Informational message, so not strictly something that needs to be acted upon: https://lintian.debian.org/tags/hardening-no-bindnow

    YMMV.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julian Gilbey@21:1/5 to Gregor Riepl on Wed Aug 31 10:20:01 2022
    On Tue, Aug 30, 2022 at 07:33:07PM +0200, Gregor Riepl wrote:
    I: python3-pyxdameraulevenshtein: hardening-no-bindnow [usr/lib/python3/dist-packages/pyxdameraulevenshtein.cpython-310-x86_64-linux-gnu.so]

    and there is nothing about CFLAGS or the like in the setup.py file.
    So if having this hardening flag enabled is a good thing, it should probably be enabled somewhere within the pybuild system, rather than
    every individual package with an extension file doing it.

    Hardening is generally a good thing, but can break code in subtle ways.
    I suppose that's why it was decided that enabling it by default in Debian
    was deemed too risky.

    Enabling it is quite easy, though: Just add

    export DEB_BUILD_MAINT_OPTIONS = hardening=+all
    [...]

    Thanks Gregor, I'll try that!

    Also, note that hardening-no-bindnow is an Informational message, so not strictly something that needs to be acted upon: https://lintian.debian.org/tags/hardening-no-bindnow

    Indeed, hence the title of this message :-)

    Best wishes,

    Julian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)