Re: Enabling hardened build flags for Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Charles Plessy <plessy@debian.org>
Date: Wed, 2 May 2012 09:17:05 +0900
Message-id: <[🔎] 20120502001705.GB1941@falafel.plessy.net>
In-reply-to: <87pqao6dno.fsf@windlord.stanford.edu>
References: <87pqao6dno.fsf@windlord.stanford.edu>

Le Mon, Apr 30, 2012 at 03:46:51PM -0700, Russ Allbery a écrit :
> 
> Most C programs use Autoconf in my experience.  I know that scientific
> software often doesn't, but I think scientific software is the significant
> outlier in that respect.

I see...  That probably explains everything.  My experience was indeed that
most software do not use autoconf, put everything in CFLAGS, and that CPPFLAGS
and LDFLAGS were very rarely used (I hope that also answers Bernhards
interrogations).  We enabled hardening in some of these packages using
Dephelper 9 or CDBS, only to realise later that D_FORTIFY_SOURCE=2 and
-Wl,-z,relro were left out.

This said, the point that I want to make, is that we switched from a situation
where the actual communication channel between our and upstreams makefile was
C(XX)FLAGS, to a situation where CPPFLAGS and LDFLAGS also got some data input
in by our toolchain.  If there are other variables that forseen to be used the
same way in the future, it would be great to document it somewhere, so that we
can be prepared.

Cheers,

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan

Reply to:

Follow-Ups:
- Re: Enabling hardened build flags for Wheezy
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Node.js and it's future in debian
Next by Date: Re: Enabling hardened build flags for Wheezy
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread