[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Lintian warning: hardening-no-fortify-functions & version numbering

On Wed, 2012-06-27 at 14:09 +0300, Serge wrote:
> 2012/6/25 Ben Hutchings wrote:
> >> BTW, it's interesting that Fedora/CentOS use -Wp,-D_FORTIFY_SOURCE=2
> >> and they use it in CFLAGS/CXXFLAGS.
> >
> > Presumably as a workaround for build systems that do not respect
> I actually noticed that because it's "-Wp,-D...", not "-D...". But I guess
> you're right, it's in CFLAGS because many build systems support CFLAGS,
> but only autotools support CPPFLAGS.
> > GNU make's implicit rules use CPPFLAGS.  If other build systems or
> > overriden rules don't use it, it's a bug.  This can of course be
> > worked around in debian/rules.
> Well, such argument can be applied to any build system. For example: Cmake
> uses CMAKE_C_FLAGS, but GNU's make does not use it. It's a bug.

GNU make is the standard build sequencing tool for the GNU system (i.e.
for Debian).  CMake and the others probably ought to follow the platform

> Talking just about autotools:
> * CPPFLAGS without CFLAGS are used only by ./configure script
> * CPPFLAGS without CFLAGS are used only for some conftests
> * -D_FORTIFY_SOURCE=2 means nothing for those tests
> * -D_FORTIFY_SOURCE=2 does nothing at all without -O2
> So even for autotools there's no reason to keep -D_FORTIFY_SOURCE=2 in
> a CPPFLAGS variable. It can be easily dropped.

I do take the point that it's not obviously useful to separate out


Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: