< Debian, licenses, and license-count | Russ Allbery > Eagle's Path > February 2012 | Debian Policy 3.9.3.0 > |
Now is the point in the Debian release cycle where I usually try to go through my packages and bring them generally up to date. In case other people are doing the same thing, here are a few new facilities or techniques that I'm rolling out across my packages. (This is apart from the obvious stuff, like multiarch where appropriate and debhelper 9, and the older stuff, like using dh.)
dh-autoreconf is a new helper tool that runs autoreconf on the package
during the build and cleans up properly afterwards. I've started
switching all of my packages that use Autoconf and Automake and can
use autoreconf over to it. (Some upstreams have more complex scripts
that have to be run to regenerate the build system.) It plugs in
trivially as a dh add-on, and even adds support for --as-needed
(see below).
I'm doing this even for packages where I don't patch the build system, on the grounds that rebuilding everything from source, including the build system, is a good idea. It also means that I can patch the build system when I need to without having to add additional machinery at the time.
Linking with --as-needed
. As I build new packages, I'm looking
for anything that has warnings about generating unnecessary
dependencies and adding --as-needed
to the linker flags.
The combination of dh-autoreconf and the new dpkg-buildflags support
makes this trivial to do for most packages. Just add something like:
export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed
to debian/rules. It's worth being aware that --as-needed
can
break some unusual uses of special cases around shared library
loading, but I've not run into any of those cases with any of the
software that I package.
dpkg-buildflags comes essentially for free with debhelper 9, but it's worth mentioning that, as mentioned above, it's a really easy way to add additional flags. And if you have to pass in flags via some other mechanism, use dpkg-buildflags to get the default flags.
Once you're up to debhelper 9 and are using dpkg-buildflags, adding hardening flags is easy. You get the default ones for free, and that's a pretty good start. (Install hardening-includes and use hardening-check to check the status of the binaries built by your package.) I always add at least hardening=+bindnow to DEB_BUILD_MAINT_OPTIONS (set with export in debian/rules), since the minor speed hit at startup doesn't matter for anything that I'm packaging. (It might for something like ls that runs all the time.)
I usually try to also add +pie, but be careful of that. Libtool will cope correctly with it and switch it back to PIC for shared libraries, but other shared library build processes may not. And it doesn't always work; for example, gnubg (GNU Backgammon) just immediately dies if built PIE, for reasons that I didn't track down.
If, like me, you maintain your packaging in Git without using a separate tool that exports a patch series, and therefore use the single-debian-patch option, there is new support for applying that option only to your build as the maintainer but not to any other build that people do of your source package. This is good, since it means that any NMU diffs will be kept separate from your maintainer diff because they'll get the version of the NMU package added.
To get this behavior, move debian/source/patch-header to debian/source/local-patch-header and debian/source/options to debian/source/local-options (assuming that's your only option; otherwise, you might need to split it). Then the patch header and options won't be included in the generated source package and hence won't apply to NMUs or other packaging changes based on the source package in the archive instead of on the packaging repository.
It's also worth mentioning that Ubuntu was responsible for breaking a lot
of ground here. Due to bug reports and patches submitted from Ubuntu,
several of my packages already had hardening build flags and
--as-needed
issues fixed before this round of packaging refresh,
which made adding these features much easier than it would be otherwise.
Posted: 2012-02-20 18:34 — Why no comments?
< Debian, licenses, and license-count | Russ Allbery > Eagle's Path > February 2012 | Debian Policy 3.9.3.0 > |