ncbi-blast+: Enable full hardening flags, introducing a small patch

(use_pie_for_apps) to reflect the need to build executables and
libraries differently.

diff --git a/debian/changelog b/debian/changelog
index f547cfb77a11cc9bec6aa01e421dbfc1b6e90fbf..f0ab1db011d6c65fa4825de146c88e29f652feaf 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ ncbi-blast+ (2.2.26-3) UNRELEASED; urgency=low
     - Use modern syntax for making protected base members public.
     - Add forward declarations as needed.
   * Wrap and sort build dependencies to ease maintenance thereof.
+  * Enable full hardening flags, introducing a small patch
+    (use_pie_for_apps) to reflect the need to build executables and
+    libraries differently.
   
   [ Andreas Tille ]
   * debian/control: Modernize Vcs-* fields.

diff --git a/debian/control b/debian/control
index 32886fcfc5d1a70225ffcba105df4d91d0158da7..f192bffeba42086f5ba8d5c8b17811b1f3a9877f 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -3,6 +3,7 @@ Section: science
 Priority: optional
 Build-Depends: autotools-dev (>= 20100122),
                debhelper (>= 7.0.50~),
+              dpkg-dev (>= 1.16.1),
                libboost-test-dev,
                libbz2-dev,
                libc0.3-dev (>= 2.13-9~) [hurd-i386],

diff --git a/debian/patches/series b/debian/patches/series
index 5c737d2bf55f897f94903e7dedd33b5f5881c2d0..10b11987686d03daaca7801d5cf38538e25ab961 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ fix_lib_deps
 no_multiarch_rpath
 wrong_path_to_touch.patch
 fix_gcc47_errors
+use_pie_for_apps

diff --git a/debian/patches/use_pie_for_apps b/debian/patches/use_pie_for_apps
new file mode 100644 (file)
index 0000000..c4528e0
--- /dev/null
+++ b/debian/patches/use_pie_for_apps
@@ -0,0 +1,20 @@
+Subject: build executables with -fPIE, not -fPIC
+
+* -fPIC is only useful for shared libraries; substitute -fPIE (to be
+   accompanied by appropriate APP_LDFLAGS) when building executables.
+
+Author: Aaron M. Ucko <ucko@debian.org>
+Last-Update: 2012-05-10
+--- a/c++/src/build-system/Makefile.app.in
++++ b/c++/src/build-system/Makefile.app.in
+@@ -24,8 +24,8 @@
+ 
+ ### C/C++ source file compilation (and maybe auto-dependencies) build rules
+ 
+-CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
+-CFLAGS_ALL   = @f_compile@ $(CFLAGS) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
++CXXFLAGS_ALL = @f_compile@ $(CXXFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
++CFLAGS_ALL   = @f_compile@ $(CFLAGS:-fPIC=-fPIE) $(LOCAL_CPPFLAGS) $(CPPFLAGS)
+ SOURCES      = @UNIX_SRC@ $(SRC)
+ include $(builddir)/Makefile.$(Rules)
+ 

diff --git a/debian/rules b/debian/rules
index faf4f4f9332a8f5ed159dc949edd028204cb97cc..4292f6a2ae285595fc0d5122d108c562b8be3f14 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -7,7 +7,7 @@
 DEB_CONFIGURE_EXTRA_FLAGS=--with-dll --with-mt --without-autodep \
     --without-makefile-auto-update --with-flat-makefile --without-caution \
     --without-dbapi --without-lzo --with-runpath=/usr/lib/ncbi-blast+ \
-    --with-build-root=BUILD LDFLAGS='-Wl,--as-needed -Wl,--enable-new-dtags'
+    --with-build-root=BUILD
 proj=algo/blast/ app/ objmgr/ objtools/align_format/ objtools/blast/
 
 # XXX - not quite right, as we get -DNDEBUG vs. -D_DEBUG
@@ -17,12 +17,21 @@ else
 DEB_CONFIGURE_EXTRA_FLAGS += --with-optimization
 endif
 
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
+
 DEB_HOST_ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH)
+
+CFLAGS   := $(shell dpkg-buildflags --get CFLAGS)
+CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS)
+CXXFLAGS := $(shell dpkg-buildflags --get CXXFLAGS)
+LDFLAGS  := $(shell dpkg-buildflags --get LDFLAGS) -Wl,--as-needed
+
 ifneq (,$(findstring mips,$(DEB_HOST_ARCH)))
-DEB_CONFIGURE_EXTRA_FLAGS += CXXFLAGS=-O FAST_CXXFLAGS=-O
+CXXFLAGS := $(CXXFLAGS:-O%=-O)
+DEB_CONFIGURE_EXTRA_FLAGS += FAST_CXXFLAGS=-O
 endif
 
-export MAKE
+export CFLAGS CPPFLAGS CXXFLAGS LDFLAGS MAKE
 
 llp=LD_LIBRARY_PATH
 override_dh_auto_configure:
@@ -30,7 +39,9 @@ override_dh_auto_configure:
            CONFIG_SHELL=/bin/bash ./configure $(DEB_CONFIGURE_EXTRA_FLAGS)
 
 override_dh_auto_build:
-       cd c++/BUILD/build  &&  make -f Makefile.flat all_projects="$(proj)"
+       cd c++/BUILD/build  && \
+           make -f Makefile.flat all_projects="$(proj)" \
+             APP_LDFLAGS='-Wl,-E -fPIE -pie'
 
 override_dh_auto_test:
        -dh_auto_test
@@ -65,7 +76,7 @@ override_dh_clean:
                `basename $$x .files`.module purge_sources); \
        done
        rm -rf c++/BUILD c++/compilers/dll c++/config.log c++/Makefile
-       rm -f c++/src/objects/blastxml/blastxml.module
+       rm -f c++/configure.lineno c++/src/objects/blastxml/blastxml.module
 
 %:
        dh $@ -Dc++ --with autotools_dev --with quilt