[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [hardening-discuss] Using hardening-wrapper but lintian warning still present

Julien Cristau <jcristau@debian.org> writes:
> On Wed, Jun 20, 2012 at 12:56:21 -0700, Kees Cook wrote:

>> If you're using debhelper compat level 9, you don't have to worry about
>> including hardening-wrapper and using DEB_BUILD_HARDENING=1. You'll get
>> the defaults automatically through debhelper. This is the preferred way
>> to get build flags now.

> Only if you're using dh.  Not quite the same thing.

And the build system honors the flags that dh passes in.  There are a
variety of prerequisites that have to be in place for this to all just
work.  If the package is using Autoconf and friends, it probably will, but
it's not guaranteed.  (I have at least one package using Autoconf that
overrides the build flags for historical reasons and loses the hardening
stuff.)

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: