On 27/06/12 14:20, Ben Hutchings wrote: > On Wed, 2012-06-27 at 14:09 +0300, Serge wrote: >> 2012/6/25 Ben Hutchings wrote: >> >>>> BTW, it's interesting that Fedora/CentOS use -Wp,-D_FORTIFY_SOURCE=2 >>>> and they use it in CFLAGS/CXXFLAGS. >>> >>> Presumably as a workaround for build systems that do not respect >>> CPPFLAGS. >> >> I actually noticed that because it's "-Wp,-D...", not "-D...". But I guess >> you're right, it's in CFLAGS because many build systems support CFLAGS, >> but only autotools support CPPFLAGS. >> >>> GNU make's implicit rules use CPPFLAGS. If other build systems or >>> overriden rules don't use it, it's a bug. This can of course be >>> worked around in debian/rules. >> >> Well, such argument can be applied to any build system. For example: Cmake >> uses CMAKE_C_FLAGS, but GNU's make does not use it. It's a bug. > > GNU make is the standard build sequencing tool for the GNU system (i.e. > for Debian). CMake and the others probably ought to follow the platform > conventions. > > [...] Actually CMake *does* honour CFLAGS and copies them into CMAKE_C_FLAGS, it doesn't do this for CPPFLAGS though. Look at the other cmake packages how hardening flags are handled there. Something like copying the set CPPFLAGS into CXXFlags or something. >> Talking just about autotools: >> * CPPFLAGS without CFLAGS are used only by ./configure script >> * CPPFLAGS without CFLAGS are used only for some conftests >> * -D_FORTIFY_SOURCE=2 means nothing for those tests >> * -D_FORTIFY_SOURCE=2 does nothing at all without -O2 >> So even for autotools there's no reason to keep -D_FORTIFY_SOURCE=2 in >> a CPPFLAGS variable. It can be easily dropped. > [...] > > I do take the point that it's not obviously useful to separate out > CPPFLAGS. > > Ben. > -- Regards, Dmitrijs.
Attachment:
signature.asc
Description: OpenPGP digital signature