diff options
| author | Colin Watson <cjwatson@debian.org> | 2012-04-01 00:49:25 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2012-04-01 00:49:25 +0100 |
| commit | b4fcc0dd1f8ca61369332f4b9e8f1a718ea3e277 (patch) | |
| tree | be37497ce8f9964027b3622ddcf1f4fbb4368cf6 /debian | |
| parent | 067fd0ecd61293e0bbf7596d1a3ed0aa91528c8f (diff) | |
Use dpkg-buildflags, including for hardening support; drop use of
hardening-includes.
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rwxr-xr-x | debian/rules | 31 |
3 files changed, 13 insertions, 27 deletions
diff --git a/debian/changelog b/debian/changelog index 462543f7b..114d2199a 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,10 @@ | |||
| 1 | openssh (1:5.9p1-5) UNRELEASED; urgency=low | ||
| 2 | |||
| 3 | * Use dpkg-buildflags, including for hardening support; drop use of | ||
| 4 | hardening-includes. | ||
| 5 | |||
| 6 | -- Colin Watson <cjwatson@debian.org> Sat, 31 Mar 2012 11:13:09 +0100 | ||
| 7 | |||
| 1 | openssh (1:5.9p1-4) unstable; urgency=low | 8 | openssh (1:5.9p1-4) unstable; urgency=low |
| 2 | 9 | ||
| 3 | * Disable OpenSSL version check again, as its SONAME is sufficient | 10 | * Disable OpenSSL version check again, as its SONAME is sufficient |
diff --git a/debian/control b/debian/control index 9d947e2c8..feff00209 100644 --- a/debian/control +++ b/debian/control | |||
| @@ -2,7 +2,7 @@ Source: openssh | |||
| 2 | Section: net | 2 | Section: net |
| 3 | Priority: standard | 3 | Priority: standard |
| 4 | Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> | 4 | Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> |
| 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.4.2~), libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, hardening-includes | 5 | Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.4.2~), libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg (>= 1.16.1~) |
| 6 | Standards-Version: 3.8.4 | 6 | Standards-Version: 3.8.4 |
| 7 | Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org> | 7 | Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org> |
| 8 | Homepage: http://www.openssh.org/ | 8 | Homepage: http://www.openssh.org/ |
diff --git a/debian/rules b/debian/rules index ce56fdea4..0200d48d7 100755 --- a/debian/rules +++ b/debian/rules | |||
| @@ -3,17 +3,9 @@ | |||
| 3 | # Uncomment this to turn on verbose mode. | 3 | # Uncomment this to turn on verbose mode. |
| 4 | # export DH_VERBOSE=1 | 4 | # export DH_VERBOSE=1 |
| 5 | 5 | ||
| 6 | include /usr/share/hardening-includes/hardening.make | ||
| 7 | |||
| 8 | # This has to be exported to make some magic below work. | 6 | # This has to be exported to make some magic below work. |
| 9 | export DH_OPTIONS | 7 | export DH_OPTIONS |
| 10 | 8 | ||
| 11 | ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) | ||
| 12 | OPTFLAGS := -O2 | ||
| 13 | else | ||
| 14 | OPTFLAGS := -O0 | ||
| 15 | endif | ||
| 16 | |||
| 17 | ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) | 9 | ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) |
| 18 | RUN_TESTS := yes | 10 | RUN_TESTS := yes |
| 19 | else | 11 | else |
| @@ -31,7 +23,6 @@ else | |||
| 31 | endif | 23 | endif |
| 32 | 24 | ||
| 33 | DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) | 25 | DEB_HOST_ARCH_OS := $(shell dpkg-architecture -qDEB_HOST_ARCH_OS 2>/dev/null) |
| 34 | DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_ARCH_CPU 2>/dev/null) | ||
| 35 | 26 | ||
| 36 | # Take account of old dpkg-architecture output. | 27 | # Take account of old dpkg-architecture output. |
| 37 | ifeq ($(DEB_HOST_ARCH_OS),) | 28 | ifeq ($(DEB_HOST_ARCH_OS),) |
| @@ -40,20 +31,6 @@ ifeq ($(DEB_HOST_ARCH_OS),) | |||
| 40 | DEB_HOST_ARCH_OS := hurd | 31 | DEB_HOST_ARCH_OS := hurd |
| 41 | endif | 32 | endif |
| 42 | endif | 33 | endif |
| 43 | ifeq ($(DEB_HOST_ARCH_CPU),) | ||
| 44 | DEB_HOST_ARCH_CPU := $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) | ||
| 45 | ifeq ($(DEB_HOST_ARCH_CPU),x86_64) | ||
| 46 | DEB_HOST_ARCH_CPU := amd64 | ||
| 47 | endif | ||
| 48 | endif | ||
| 49 | |||
| 50 | ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:)) | ||
| 51 | ifneq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:mips:mipsel:)) | ||
| 52 | # Apparently this is not implied by -fPIE, at least on the mipsen. | ||
| 53 | PIC_CFLAGS := -fPIC | ||
| 54 | PIC_LDFLAGS := -fPIC | ||
| 55 | endif | ||
| 56 | endif | ||
| 57 | 34 | ||
| 58 | # Change the version string to include the Debian version | 35 | # Change the version string to include the Debian version |
| 59 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') | 36 | SSH_EXTRAVERSION := Debian-$(shell dpkg-parsechangelog | sed -n -e '/^Version:/s/Version: //p' | sed -e 's/[^-]*-//') |
| @@ -108,7 +85,9 @@ confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUS | |||
| 108 | confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | 85 | confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
| 109 | 86 | ||
| 110 | # Compiler flags. | 87 | # Compiler flags. |
| 111 | cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS) | 88 | export DEB_BUILD_MAINT_OPTIONS := hardening=+all |
| 89 | default_cflags := $(shell dpkg-buildflags --get CPPFLAGS) $(shell dpkg-buildflags --get CFLAGS) | ||
| 90 | cflags := $(default_cflags) | ||
| 112 | cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT | 91 | cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT |
| 113 | cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" | 92 | cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" |
| 114 | cflags_udeb := -Os | 93 | cflags_udeb := -Os |
| @@ -117,7 +96,7 @@ confflags += --with-cflags='$(cflags)' | |||
| 117 | confflags_udeb += --with-cflags='$(cflags_udeb)' | 96 | confflags_udeb += --with-cflags='$(cflags_udeb)' |
| 118 | 97 | ||
| 119 | # Linker flags. | 98 | # Linker flags. |
| 120 | confflags += --with-ldflags='$(strip -Wl,--as-needed $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))' | 99 | confflags += --with-ldflags='$(strip -Wl,--as-needed $(shell dpkg-buildflags --get LDFLAGS))' |
| 121 | confflags_udeb += --with-ldflags='-Wl,--as-needed' | 100 | confflags_udeb += --with-ldflags='-Wl,--as-needed' |
| 122 | 101 | ||
| 123 | %: | 102 | %: |
| @@ -139,7 +118,7 @@ override_dh_auto_build: | |||
| 139 | $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' | 118 | $(MAKE) -C build-deb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' |
| 140 | $(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen | 119 | $(MAKE) -C build-udeb -j 2 ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen |
| 141 | 120 | ||
| 142 | $(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(OPTFLAGS) -g -Wall -Wl,--as-needed' | 121 | $(MAKE) -C contrib gnome-ssh-askpass2 CC='$(CC) $(default_cflags) -Wall -Wl,--as-needed' |
| 143 | 122 | ||
| 144 | override_dh_auto_test: | 123 | override_dh_auto_test: |
| 145 | ifeq ($(RUN_TESTS),yes) | 124 | ifeq ($(RUN_TESTS),yes) |