Dear Mentors,

I'm updating the freefem++ package to 4.9 release [1] and I get hardening-no-bindnow lintian warnings on several binary outputs [2].

Of course the appropriate variable is set in debian/rules (export DEB_BUILD_MAINT_OPTIONS = hardening=+all), see [3]. According to [4] it
means that some flags like CPPFLAGS/CXXFLAGS/LDFLAGS are overridden
somewhere in the configuration.

I can't find where these flags are overridden. Could you please help?

Thanks,
François


[1] https://salsa.debian.org/science-team/freefempp
[2] https://paste.debian.net/1203281
[3]
https://salsa.debian.org/science-team/freefempp/-/blob/master/debian/rules
[4] https://wiki.debian.org/Hardening

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Jul 03, 2021 at 09:59:30PM +0200, François Mazen wrote:

Dear Mentors,

I'm updating the freefem++ package to 4.9 release [1] and I get hardening-no-bindnow lintian warnings on several binary outputs [2].

Of course the appropriate variable is set in debian/rules (export DEB_BUILD_MAINT_OPTIONS = hardening=+all), see [3]. According to [4] it
means that some flags like CPPFLAGS/CXXFLAGS/LDFLAGS are overridden
somewhere in the configuration.

I can't find where these flags are overridden. Could you please help?

Can you publish the build log or at least make the repo buildable?

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmDhUj4tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh Oy8QAJ/B4vFLZB3O+GUkC/qaaHez+vPm/y/aROM6WvM0ei4g0FwpA3/d+sJWbeYf NxO1zkhKYMqtXUeqhMJGefbzRXYUYn9vWh9QjW/w+AjF3w86Tb5pzYZaHklFjrBR RHxjGoC9ktyIAnkUQlldY2REb3xdYWxyV1PTPcq+AGcpYly2cc+JMN+QjFAaD4HJ WA2fF064DfUUM3F9m0ro53rv0lZzVYe3UjGqReslJKlDorKPLqGBJQ3JEM74Nhn1 nVFJldKy+taxo5YLnE5AWzwNOHApDvjLwkBbA1UbDWNW0J1IshrQj9JQc01ZMYeJ UQAyEpMhe7rX5HC1bL5DuYRoe21YTm2FmVnfMCWpCRnoeWR7MdwTEKXhRBhyKU88 JcCnb3F2IUHDpShkY65gKvAKBZVO3/EPVnX0Ad31L17zNx5FgkGoMaPKsmmbI7+o 78zd/ivkIqsX2UFv3MPKTAb5RzcdjGOq0ToH6tVM+uYfxBVkAL7NqlpjPCMuqJsT EafF+9gSk6csN4jwwLS7TZy4BS0My/yaWZzQz/ff9pMaPEnoNuB01NXnUTBhlswf LGcPNGaaV1tqeRDMzsORsQs+5XpboBxtktdYmNJSqE3CSP/yuZstE1nyRJQdEumP x9hJ5U6wytYpUDa/4dgcez4IwVPVsC2aMrLIIhNTFoqMGAuB
=6UOl
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Andrey,

Can you publish the build log or at least make the repo buildable?

Unless I'm mistaken, the repo is buildable. See salsa CI [1] and
associated build-log [2].
I hope this help to point me in the right direction.

Thanks,
François

[1] https://salsa.debian.org/science-team/freefempp/-/pipelines/264090
[2] https://salsa.debian.org/science-team/freefempp/-/jobs/1721112/raw


-----BEGIN PGP SIGNATURE-----

iQJEBAABCgAuFiEEhqWr1v/bCgx/UFfTR5f6chw1HJ4FAmDhm0UQHGZyYW5jb2lz QG16Zi5mcgAKCRBHl/pyHDUcntMTD/9Ono+TwtQcE/cjCgiIfjn07ml8yp0SlBtO SoAS1N3o2UzqsGrjiEe5KiY0bmNwWGpF4cNTUKpyEAHvEJCl+QPQAfH8Q9O9K2n2 08DlJVV10+4ULDwxnnebg56CZ4WgWYLSMrvxmpauD0sLe+mbdOCLFFEAzpPgngPe TrBkhT4NFhyzyuvwJVreVxdXO2zQT9auJBLojQP6SnF6l5uV40J/jce72Za1iFTn 29n65fYriziXtWtqXEeoN9OJU34WB/MRTcmbV6WkV4YkCJHE5n+DsGyukUVM79n1 fEnbOGVlhxxR3FKQe1kXsIqlAwE93lmJ8MPhCZFqwYGo0ZB9Uel9C4qjOYqk9xqh zWPpr5SCUr/jZfFs7XbWz6OR4pP86yTaGT4jZuNwZUXgm56AN0AzIdy7v3Kic5R6 XH+QQiu4B07ZSS+o2gtmhtGCbIMjJ1VAF55MHQjH9/Mr6W56eCVpz0TxCkQ6gKuj +/412q/DFAMTCDXL+88/KUu0ImrXqS1Qzol/BPm+l09Q9+e8ZWzDPsH6HfEMvU5+ yMe627btv4U4lWCJOJNcPMx9mQ1zAWWkhlAkYAcLVAN9tTNY+3J16oSGwp7SHhci Qrd5cvUj3FLqDXg+vY3Sx7AYpDoho/X1gp9thDTFIhD5Hhm9CiSzWK993I29Eg6p
uPTgQf94eQ==
=6JW3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 04, 2021 at 10:42:06PM +0500, Andrey Rahmatullin wrote:

Unrelated to this, the package uses -mmmx -avx, is this an RC bug or is
all code compiled with those flags only enabled at the run time on CPUs supporting them?

I see this is already filed as #924009. I'll fix the severity.

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmDh858tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh rxsP+wTDjN9qZfvtwu6xeaFJebH9wJQhVjX0ebpOFi9CmSxuNYQbTE9CGJBTEcj2 klVK3W4pifKPAv3pfXRx5wJCQZaJUhfv0ZbNlQW6i1P+vRmZPWvMdWbfTZe2tPWr hRC231372kg34vbhKpv873PKZoxpVe3SKyW3Vsesp4vo5LhyJZQfvuD4xZ/NxiGL tSUypnPLItaA6QBFdPOcA3Hzd5R4vSn3VJ7UTepefyfEYRKwKZ6y7OyfveJ+22bH jVSLAONA5IH+R9zzhUOysqhxvE4WGXElRMVKfhvkIR3q8VVsfQIq4H303Ioclffk 41Jk5u5VPrVvUawM0bhh33mkggVPQHIvnZiRHqN5emk2zNn3Uw8z333+OgMqfkna 6TcqTF83kxWkcfNo2A0wgIHxo413m0x6lfS8X9UvxZQkd3dd8FPC4BnM6FuxLT6I AlyLxMj47FWpK9/lquG7fwaUT8pgzOoh2V0UXwpJHWKyMVS/t1Px5eNMSIkMLV/h diPmk++1Dx9T0HQUQSbjtL5Er+iNXZPuV+SSjr9CwALdd9EaNMDt3btf70pHOHgz J1pfRgVGD6ZgqyTg4sfEKOf1yu3ITkPv+1LGn46ir3/66MdN9tClvJ7mLK+8zkQH P2DYq//l8B3Bza46OS0nyly3vCi4Hjv+VhiddLi8RJAWgydV
=GGfv
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 04, 2021 at 01:28:05PM +0200, François Mazen wrote:

Can you publish the build log or at least make the repo buildable?

Unless I'm mistaken, the repo is buildable. See salsa CI [1] and
associated build-log [2].

Not sure how does that work, as gbp requires the upstream/4.9+dfsg.1 tag
which is not pushed.

Anyway, some (I guess all) of those libs are compiled with ff-c++ which
just doesn't pass LDFLAGS from the environment.
The sid version was at least compiled with -Wl,-z,relro -Wl,--as-needed, because as, I presume, a workaround for that ff-c++ problem these flags
were passed in $CC (which of course is not *that* sane) in debian/patches/gmm_cxxflags.patch, which is deleted in this version.
Though even for the sid version blhc still reports lots of missing flags.

Unrelated to this, the package uses -mmmx -avx, is this an RC bug or is
all code compiled with those flags only enabled at the run time on CPUs supporting them?

--
WBR, wRAR

-----BEGIN PGP SIGNATURE-----

iQJhBAABCgBLFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAmDh8u4tFIAAAAAAFQAP cGthLWFkZHJlc3NAZ251cGcub3Jnd3JhckBkZWJpYW4ub3JnAAoJEDNi9wMaSZLh Vg4P+gLXH9eOzq5ViBisU9W9GUP8he/E4m8Y32PRbY3OraqxhJz1irvKiEHDBXaa zw9l9oX1g+dQPpsO8+GVX/hjAUEydwXldYZGgcYiCjBTREIPRq+5LaXIso67o+oJ p3dkgD12DnZ3asc0ao0kKMvd9WHctmnVeHfMlRHJMuOp8BlP8DihSYKsRDcCveUo Cvr7+OW2l0rBq1xyMhN5PSsCL5TgQ5gXzSOJA39IlVmoVAAA6ULDM0egViHe/Ilu IKGB8hWGPGU9Z7l9KUeQdPdVexBocs3FVsp8Ew266K/E8Dl+1G0T8dn3SvHJuHnR YFVbKLmMFoqAjNPeU861fENbW3ZOWJrX18Cg+YGAWo+MdabEKEQv02D1lQn+TF0N r6QaQ6RPxLFaScsB9YbuMZiukTjmaRUHsBYY18JjZa7vupmvJ+uAQtfnA4rXUcGQ X9gQClSG1XzWL5X1ErNuTAUnnLTtRy8HkZNigTIkLTVZBrvkRb9MilPsME6jLHkJ i39CrnzeSlRoJWnGUeiYguN6WQrbULQJNQYxa9+kNixcTMKsmpoHOqVDf+yqOiuq qnfYRvqCMnYGkrCYPGt4wXbpRhROujljQcdCYCt954H1PFCj1nBSs67RQIlIMdcp 2ok3LfAHdjKprNZxCxs9koxZzaHZdgDDRizuMECRXHeILIgZ
=nve6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Andrey,

Anyway, some (I guess all) of those libs are compiled with ff-c++
which
just doesn't pass LDFLAGS from the environment.

Indeed! Patching ff-c++ removed almost all hardening lintian warnings.
I'll track the remaining ones.

Unrelated to this, the package uses -mmmx -avx, is this an RC bug or
is
all code compiled with those flags only enabled at the run time on
CPUs
supporting them?

As stated in #924009, the --enable-generic configure option should fix
it. I'll check before releasing the new package.

Thanks a lot for your help!

Best Regards,
François



-----BEGIN PGP SIGNATURE-----

iQJEBAABCgAuFiEEhqWr1v/bCgx/UFfTR5f6chw1HJ4FAmDiGSkQHGZyYW5jb2lz QG16Zi5mcgAKCRBHl/pyHDUcnnTsEAC/YTw6aLYNLqtvmp1YUfFHM6K3EKHuXq80 JJ8gmnonxGwQHZf91OMtnDJkovDEcgpCTZ2E0ajRv2mKRGAqYcqwyO5x8IRSuNoo y5mDULgH/tMwjj2X2BH74TJVDLxYFEyt4sOpsxyBYqzrsY+BvYiTjFn/7HQj4eU+ eoo7ad5OoVRnAbhxAs/cGmFrZEVWOHxcieGoAfP8NnTiF6DlmJggfB7NLf6zeq6q s2t/KR8ZJswoELL/kmMBFc2HvMVu8H9W3Fi0aDebwVuyz2xszSSEuVGxAQm6xb2f 2EbEl4V4a4xpcxURw73I+FDwya1HgkA+UtpPilggkW1Ly+dWmaHJr5sC3IoA0ECx MLbaL6gd4azN3JcOhoj4wLtB6ipm2zsFddtE+N3a+9kr3xLJvmXAoMnxaeVLHgZT PJg5GzK5gdxOG1V1kC8ul9Hwf47oLrF5SX7IBLB2jwm19fpCd38G+bm83AQRIiKO ruIb/UmWYOq3/8VVlhhiIPdvt29jr+SKhD8tDzB9XTY1gxip+p5z93knNSQHQzHG XYFSbCqtoj0/r6EUSGvVPVJfISwl5AfD0QVkHsJMSPtfdugJHANClIRC8QkBc2UE ufyRn9mwb9cf6wCo2NmvfQd0r974Uke3D/56lPwZnjLnherxS0iRnRR9AWz7r9Qg
Kg0JVOJE8A==
=hu1h
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)