[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

Charles Plessy <plessy@debian.org> (07/03/2012):
> But my main question is the following:
> In another bug, the problem is that CPPFLAGS is ignored in upstream's
> makefile.  I understand that the semantics of CFLAGS and CPPFLAGS are
> not the same, but I also note that a large number of our upstreams are
> not making the difference and use CFLAGS as a catch-all varible.
> Would it be possible to pass -D_FORTIFY_SOURCE=2 in CFLAGS in addition

I guess you could do something like (for C and C++ respectively for sane
upstreams, you might not need the CXX part given what you wrote):
  # do the dpkg-buildflags dance to get everything exported

so that the CPPFLAGS aren't lost?

Of course, you could avoid exporting everything to retain control over
what's exported to the rest of the build process, in which case you
could do something along those lines:
  CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
  CFLAGS   = $(shell dpkg-buildflags --get CFLAGS  ) $(CPPFLAGS)
  CXXFLAGS = $(shell dpkg-buildflags --get CXXFLAGS) $(CPPFLAGS)
  LDFLAGS  = $(shell dpkg-buildflags --get LDFLAGS )

then pass those variables explicitly to ./configure:
  dh_auto_configure -- ... CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)"

There are probably other ways to do this in compat 9, but I didn't
investigate it yet.


Attachment: signature.asc
Description: Digital signature

Reply to: