#!/usr/bin/make -f export DEB_BUILD_MAINT_OPTIONS := hardening=+all include /usr/share/dpkg/default.mk # Uncomment this to turn on verbose mode. # export DH_VERBOSE=1 # This has to be exported to make some magic below work. export DH_OPTIONS ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) RUN_TESTS := yes else RUN_TESTS := endif ifeq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) PARALLEL := else PARALLEL := \ -j$(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) endif ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) CC := gcc PKG_CONFIG = pkg-config else CC := $(DEB_HOST_GNU_TYPE)-gcc PKG_CONFIG = $(DEB_HOST_GNU_TYPE)-pkg-config RUN_TESTS := endif # Change the version string to reflect distribution SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//') UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu)) ifeq ($(UBUNTU),yes) DEFAULT_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games else DEFAULT_PATH := /usr/local/bin:/usr/bin:/bin:/usr/games endif SUPERUSER_PATH := /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ifeq ($(UBUNTU),yes) server_recommends := ssh-import-id else server_recommends := endif # Common path configuration. confflags += --sysconfdir=/etc/ssh confflags += --libexecdir=\$${prefix}/lib/openssh # Common build options. confflags += --disable-strip confflags += --with-mantype=doc confflags += --with-4in6 confflags += --with-privsep-path=/run/sshd confflags += --with-pid-dir=/run # The Hurd needs libcrypt for res_query et al. ifeq ($(DEB_HOST_ARCH_OS),hurd) confflags += --with-libs=-lcrypt endif # Avoid using libmd even if it's installed; see # https://bugs.debian.org/982705. confflags += ac_cv_header_sha2_h=false # Everything above here is common to the deb and udeb builds. confflags_udeb := $(confflags) # Options specific to the deb build. confflags += --with-tcp-wrappers confflags += --with-pam confflags += --with-libedit confflags += --with-kerberos5=/usr confflags += --with-ssl-engine ifeq ($(DEB_HOST_ARCH_OS),linux) confflags += --with-selinux confflags += --with-audit=linux confflags += --with-systemd confflags += --with-security-key-builtin endif # The deb build wants xauth; the udeb build doesn't. confflags += --with-xauth=/usr/bin/xauth confflags_udeb += --without-xauth # Default paths. The udeb build has /usr/games removed. confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUSER_PATH) confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Compiler flags. cflags := $(CPPFLAGS) $(CFLAGS) cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" cflags_udeb := -Os cflags_udeb += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\" confflags += --with-cflags='$(cflags)' confflags_udeb += --with-cflags='$(cflags_udeb)' # Linker flags. confflags += --with-ldflags='$(strip -Wl,--as-needed $(LDFLAGS))' confflags_udeb += --with-ldflags='-Wl,--as-needed' ifeq ($(shell dpkg-vendor --is Ubuntu && echo yes) $(DEB_HOST_ARCH), yes i386) BUILD_PACKAGES += -Nopenssh-tests endif %: dh $@ --with=autoreconf,systemd,runit $(BUILD_PACKAGES) autoreconf: autoreconf -f -i cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./ override_dh_autoreconf-arch: dh_autoreconf debian/rules -- autoreconf override_dh_autoreconf-indep: override_dh_auto_configure-arch: dh_auto_configure -Bdebian/build-deb -- $(confflags) ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),) dh_auto_configure -Bdebian/build-udeb -- $(confflags_udeb) # Avoid libnsl linkage. Ugh. perl -pi -e 's/ +-lnsl//' debian/build-udeb/config.status cd debian/build-udeb && ./config.status endif override_dh_auto_configure-indep: override_dh_auto_build-arch: $(MAKE) -C debian/build-deb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass' $(MAKE) -C debian/build-deb regress-prep $(MAKE) -C debian/build-deb $(PARALLEL) regress-binaries ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),) $(MAKE) -C debian/build-udeb $(PARALLEL) ASKPASS_PROGRAM='/usr/bin/ssh-askpass' ssh scp sftp sshd ssh-keygen endif ifeq ($(filter pkg.openssh.nognome,$(DEB_BUILD_PROFILES)),) $(MAKE) -C contrib gnome-ssh-askpass3 CC='$(CC) $(CPPFLAGS) $(CFLAGS) -Wall -Wl,--as-needed $(LDFLAGS)' PKG_CONFIG=$(PKG_CONFIG) endif override_dh_auto_build-indep: override_dh_auto_test-arch: ifeq ($(RUN_TESTS),yes) $(MAKE) -C debian/build-deb unit compat-tests $(MAKE) -C debian/keygen-test endif override_dh_auto_test-indep: override_dh_auto_clean: rm -rf debian/build-deb debian/build-udeb ifeq ($(RUN_TESTS),yes) $(MAKE) -C debian/keygen-test clean endif $(MAKE) -C contrib clean override_dh_auto_install-arch: $(MAKE) -C debian/build-deb DESTDIR=`pwd`/debian/tmp install-nokeys override_dh_auto_install-indep: override_dh_install-arch: rm -f debian/tmp/etc/ssh/sshd_config dh_install -Nopenssh-client-udeb -Nopenssh-server-udeb --fail-missing ifeq ($(filter noudeb,$(DEB_BUILD_PROFILES)),) dh_install -popenssh-client-udeb -popenssh-server-udeb \ --sourcedir=debian/build-udeb endif # Remove version control tags to avoid unnecessary conffile # resolution steps for administrators. sed -i '/\$$OpenBSD:/d' \ debian/openssh-server/etc/ssh/moduli \ debian/openssh-server/usr/share/openssh/sshd_config \ debian/openssh-client/etc/ssh/ssh_config # Remove small Diffie-Hellman moduli awk '$$5 >= 4095' debian/openssh-server/etc/ssh/moduli > debian/openssh-server/etc/ssh/moduli.tmp mv -f debian/openssh-server/etc/ssh/moduli.tmp debian/openssh-server/etc/ssh/moduli # We'd like to use dh_install --fail-missing here, but that doesn't work # well in combination with dh-exec: it complains that files generated by # dh-exec for architecture-dependent packages aren't installed. override_dh_install-indep: rm -f debian/tmp/etc/ssh/sshd_config dh_install override_dh_installdocs: dh_installdocs -Nopenssh-server -Nopenssh-sftp-server dh_installdocs -popenssh-server -popenssh-sftp-server \ --link-doc=openssh-client # Avoid breaking dh_installexamples later. mkdir -p debian/openssh-server/usr/share/doc/openssh-client override_dh_systemd_enable: dh_systemd_enable -popenssh-server --name ssh ssh.service dh_systemd_enable -popenssh-server --name ssh --no-enable ssh.socket override_dh_installinit: dh_installinit -R --name ssh debian/openssh-server.sshd.pam: debian/openssh-server.sshd.pam.in ifeq ($(DEB_HOST_ARCH_OS),linux) sed 's/^@IF_KEYINIT@//' $< > $@ else sed '/^@IF_KEYINIT@/d' $< > $@ endif override_dh_installpam: debian/openssh-server.sshd.pam dh_installpam --name sshd override_dh_runit: dh_runit -popenssh-server override_dh_fixperms-arch: dh_fixperms chmod u+s debian/openssh-client/usr/lib/openssh/ssh-keysign # Tighten libssl dependencies to match the check in entropy.c. override_dh_shlibdeps: dh_shlibdeps debian/adjust-openssl-dependencies override_dh_gencontrol: dh_gencontrol -- -V'openssh-server:Recommends=$(server_recommends)' debian/faq.html: wget -O - http://www.openssh.com/faq.html | \ sed 's,\(href="\)\(txt/\|[^":]*\.html\),\1http://www.openssh.com/\2,g' \ > debian/faq.html