Clarification on lintian package

ArchEr9 · 2025-08-27 06:50:42

There is a AUR package, lintian, which appears to be a port of the Debian package by the same name. Is there a native package or script for Arch which does the same checks that lintian does? For example if we want to check if a particular binary or library or kernel has been compiled with the glibc option, FORTIFY_SOURCE or HARDENED_USERCOPY then it can be checked with lintian on Debian.

Lone_Wolf · 2025-08-27 11:26:48

https://archlinux.org/packages/extra/any/namcap/ has a similar role but is used mainly before and during buildtime on PKGBUILDs and pkg.tar.gz binaries.

The default settings for local builds are in /etc/makepkg.conf .

Packages in official repos are built with dev-tools, it's default settings are in /usr/share/devtools/makepkg.conf.d/ .
I expect you'll find x86_64.conf interesting .

Changes to those defaults are done in the PKGBUILDs which are accesible from https://gitlab.archlinux.org/archlinux/ … ckage_name

As for FORTIFY_SOURCE : that's been at 3 by default for a few years now.

ArchEr9 · 2025-08-28 02:42:48

Thanks. This is helpful.

This is for build time. I was looking for after the binary/library that has already been built. For example if we were to download any package from the Arch repository or from the AUR then in that case how do we check?

Lone_Wolf · 2025-08-28 09:14:24

I don't think there's an archlinux specific tool for that, but there are linux tools to get information about binaries .

readelf comes to mind, check man readelf

Last edited by Lone_Wolf (2025-08-28 09:14:41)

loqs · 2025-08-28 17:33:35

The `-grecord-gcc-switches` compiler switch which is enabled by default only records "options used to invoke the compiler that may affect code generation" so certain flags will be missed for example does not record `_FORTIFY_SOURCE` preprocessor define:

$ readelf -wi /usr/lib/libacl.so | grep -m1 DW_AT_producer
    <d>   DW_AT_producer    : (indirect string, offset: 0x46): GNU GIMPLE 13.2.1 20230801 -march=x86-64 -mtune=generic -g -g -O2 -O2 -fno-openmp -fno-openacc -fcf-protection=full -fPIC -fltrans

You can extract the .BUILDINFO from a built package to check the version of devtools and from that find the default flags, you could use that and the PKGBUILD used to generate the package to determine what flags were set of course the project itself can alter those flags internally.

Last edited by loqs (2025-08-28 17:33:57)

ArchEr9 · 2025-08-29 06:58:28

Do Arch packages (non AUR), linux kernels (Excluding those that are hosted on AUR) and initramfs get compiled with -grecord-gcc-switches option enabled?

@logs if a binary or library is not compiled with -grecord-gcc-switches then will lintian be able to identify whether the binary has the flags set during compilation?

loqs · 2025-08-29 12:38:53

ArchEr9 wrote:

Do Arch packages (non AUR), linux kernels (Excluding those that are hosted on AUR) and initramfs get compiled with -grecord-gcc-switches option enabled?

The compiler switch is enabed by default in both gcc and clang, Arch's defaults from devtools do not disable it, I am not aware of it being disabled by any PKGBUILD, projects themselves could disable it. initramfs is a cpio archive.

ArchEr9 wrote:

@logs if a binary or library is not compiled with -grecord-gcc-switches then will lintian be able to identify whether the binary has the flags set during compilation?

I have never used lintian.

Arch Linux

#1 2025-08-27 06:50:42

Clarification on lintian package

#2 2025-08-27 11:26:48

Re: Clarification on lintian package

#3 2025-08-28 02:42:48

Re: Clarification on lintian package

#4 2025-08-28 09:14:24

Re: Clarification on lintian package

#5 2025-08-28 17:33:35

Re: Clarification on lintian package

#6 2025-08-29 06:58:28

Re: Clarification on lintian package

#7 2025-08-29 12:38:53

Re: Clarification on lintian package

Board footer