[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

Le Mon, Apr 30, 2012 at 03:46:51PM -0700, Russ Allbery a écrit :
> Most C programs use Autoconf in my experience.  I know that scientific
> software often doesn't, but I think scientific software is the significant
> outlier in that respect.

I see...  That probably explains everything.  My experience was indeed that
most software do not use autoconf, put everything in CFLAGS, and that CPPFLAGS
and LDFLAGS were very rarely used (I hope that also answers Bernhards
interrogations).  We enabled hardening in some of these packages using
Dephelper 9 or CDBS, only to realise later that D_FORTIFY_SOURCE=2 and
-Wl,-z,relro were left out.

This said, the point that I want to make, is that we switched from a situation
where the actual communication channel between our and upstreams makefile was
C(XX)FLAGS, to a situation where CPPFLAGS and LDFLAGS also got some data input
in by our toolchain.  If there are other variables that forseen to be used the
same way in the future, it would be great to document it somewhere, so that we
can be prepared.


Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan

Reply to: