On 10/05/13 20:15, Markus Koschany wrote:
On 10.05.2013 11:38, Steven Hamilton wrote:Hi folks, I'm adopting and repacking Powder as per bug #691835. In addition to modernising the package I'm attempt to harden it. The package uses a custom shell script to build which I fork out of the rules file. No matter what I do though I can't fully harden it with the best I can get being this;Hi Steven, you can use export DEB_BUILD_MAINT_OPTIONS = hardening=+all in debian/rules to activate all hardening features.
Yep, unfortunately the buildall.sh script that's spawned out of the rules file only supports CXXFLAGS and LDFLAGS so I need to pull them from dpkg=buildflags and spawn the vars out infront of the script. A bit ugly but it works. I've also now found the error with PIE. Turns out the script was building a binary with a static libstdc++.a which is only of any use when moving a binary between systems. Since we're building against a known ABI we can run dynamic and get PIE support. I've patched the buildall.sh to support this. Upload to mentors coming soon.