adds a line when no copyright for Dogecoin Core Developers exists
but the file has been edited by us, to the last year found in git
log, or extends the year range on an existing line when a file
has been modified since the year previously listed.
Excludes subtrees.
Disables checks from Bitcoin 24.0.1 security-check.py code that
we currently cannot support on Dogecoin Core without changes to
the build process
- separate-code needs linking using binutils 2.31 and/or
explicit linking with -z,separate-code on binutils 2.30+
- CONTROL_FLOW can be enabled after building with gcc-8
or later. This would require at least a Ubuntu Focal
Gitian implementation, and -fcf-protection enabled on
the boost dependency.
- HIGH_ENTROPY_VA and RELOC_SECTION checks for Windows
binaries need fixes for dogecoin-cli, dogecoin-tx and
test binaries, so that ASLR can be used for these binaries
the same way it was done for dogecoind and dogecoin-qt.
These checks can be re-enabled once these security features are
enabled on release binaries (i.e. those built with Gitian)
Takes the security and symbol checkers from Bitcoin Core v24.0.1
because this uses the python3 capable lief module for reading
multi-platform binaries. This helps getting rid of
incompatibilities when using these tools in Ubuntu releases newer
than Bionic (18.04) and by using the external module, reduces risk
and maintenance cost of custom code.
This commit does NOT reconfigure for Dogecoin 1.14.7 parametrization
Backported from state at: b3f866a8@bitcoin/bitcoin
62c2915 build: supply `-Wl,--high-entropy-va` (Wladimir J. van der Laan)
9a75d29 devtools: Check for high-entropy ASLR in 64-bit PE executables (Wladimir J. van der Laan)
Ubuntu 16.04 "xenial xerus" does not come with Python 2.x by default.
It is possible to install a python-2.7 package, but this has its own
problem: no `python` or `python2` symlink (see #7717).
This fixes the following scripts to work with python 3:
- `make check` (bctest,py, bitcoin-util-test.py)
- `make translate` (extract_strings_qt.py)
- `make symbols-check` (symbol-check.py)
- `make security-check` (security-check.py)
Explicitly call the python commands using $(PYTHON) instead
of relying on the interpreter line at the top of the scripts.
Perform the following ELF security checks:
- PIE: Check for position independent executable (PIE), allowing for address space randomization
- NX: Check that no sections are writable and executable (including the stack)
- RELRO: Check for read-only relocations, binding at startup
- Canary: Check for use of stack canary
Also add a check to symbol-check.py that checks that only the subset of
allowed libraries is imported (to avoid incompatibilities).
