blhc (build log hardening check) is a small tool which checks build logs for
missing hardening flags. It's licensed under the GPL 3 or later.
+Hardening flags enable additional security features in the compiler to prevent
+e.g. stack overflows, format string vulnerabilities, GOT overwrites, etc.
+
+Because most build systems are quite complicated there are many places where
+compiler flags from the environment might be ignored. The parser verifies that
+all compiler commands use the correct hardening flags and thus all hardening
+features are correctly used.
+
It's designed to check build logs generated by Debian's dpkg-buildpackage (or
-tools using dpkg-buildpackage like pbuilder or the official buildd build logs)
-to help maintainers detect missing hardening flags in their packages.
+tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the
+official buildd build logs)) to help maintainers detect missing hardening
+flags in their packages.
At the moment it works only on Debian and derivatives but it should be easily
-extendable for other systems as well.
+extendable to other systems as well. Patches are welcome.
+
+Only gcc is detected as compiler at the moment. If other compilers support
+hardening flags as well, please report them.
For more information about hardening flags have a look at [1].
- Perl
- Dpkg::Arch
- Dpkg::Version
+ - Term::ANSIColor >= 2.01
+ Bundled with perl. A recent version is only necessary for build logs with
+ ANSI colors which is rare, blhc works fine without if the build log
+ doesn't use colors. Not required for buildd mode.
USAGE
blhc path/to/log/file
+blhc can be run directly from the source tree (`bin/blhc`) or copied anywhere
+on the system. It doesn't have to be explicitly installed. To read the man
+page use `perldoc bin/blhc`.
+
+If there's no output, no flags are missing and the build log is fine.
+
For more examples see the man page.
The available hardening flags are adapted to the architecture because some
architectures don't support certain hardening options.
+Some checks check the build dependencies for certain packages. The following
+lines are used to get the build dependencies. The first two are used in buildd
+build logs (the second was used in older logs), the third by pbuilder logs,
+all are detected:
+
+ Filtered Buildd-Depends: ...
+ Build-Depends: ...
+ Depends: ...
+
LIMITATIONS
-----------
dpkg-buildpackage: ...
If it's not present no compiler commands are detected. In case you don't use
-dpkp-buildpackage but still want to check a build log adding it as first line
+dpkp-buildpackage but still want to check a build log, adding it as first line
should work fine.
The following non-verbose builds can't be detected:
blhc is licensed under GPL version 3 or later.
-Copyright (C) 2012 Simon Ruderich
+Copyright (C) 2012-2013 Simon Ruderich
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by