[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#552688: Please decide how Debian should enable hardening build flags

On Wed, Jul 27, 2011 at 11:56:39PM +0200, Raphael Hertzog wrote:
> In the course of doing this I discovered that this won't have the
> expected result:
> ---
> [...]
> 	./configure $(shell dpkg-buildflags --export=configure)
> ---

> Apparently make doesn't export the variables to the sub-shell
> run in this way but only to shells run for commands in the various
> targets. So instead I have to do it this way:
> ./configure $(shell DEB_CFLAGS_MAINT_APPEND="-Wall" dpkg-buildflags --export=configure)

I would be inclined to write this as:

BUILD_FLAGS = $(shell DEB_CFLAGS_MAINT_APPEND="-Wall" dpkg-buildflags --export=configure)

	./configure $(BUILD_FLAGS)

though a helper implementing this may of course choose to avoid clobbering
the namespace by declaring new make variables.

> Should we go further and provide centralized variables that can be used
> to strip out the precise set of build flags that each hardening "feature"
> adds? For reference /usr/share/hardening-includes/hardening.make does
> provide such variables.

Now that we've suggested complementing DEB_BUILD_OPTIONS with
DEB_BUILD_MAINT_OPTIONS, it stands to reason that we might define some
macros for common cases.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: