Bug#656643: Hardened build flags

[Rene Engelhard <rene@debian.org>]

Hi,

On Tue, Jan 24, 2012 at 08:05:51PM +0100, Moritz Muehlenhoff wrote:
> > > -	PATH=$(BUILD_PATH) LD_LIBRARY_PATH=$(BUILD_LD_LIBRARY_PATH) DEFAULT_TO_ENGLISH_FOR_PACKING=1 ARCH_FLAGS=$(ARCH_FLAGS) TMP=`mktemp -q -d` CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" $(MAKE) build
> > > +	PATH=$(BUILD_PATH) LD_LIBRARY_PATH=$(BUILD_LD_LIBRARY_PATH) DEFAULT_TO_ENGLISH_FOR_PACKING=1 ARCH_FLAGS=$(ARCH_FLAGS) TMP=`mktemp -q -d` CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" $(MAKE) build
> > 
> > ... but not here. Maybe one can whack that all into $(ARCH_FLAGS) if something else
> > in the build process would not mind unused/needed options...

Had a look yesterday

diff --git a/rules b/rules
index b7be177..b1a8635 100755
--- a/rules
+++ b/rules
@@ -633,6 +633,9 @@ ifeq (noopt,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
        ARCH_FLAGS += -O0
 endif

+# for the hardening build flags
+ARCH_FLAGS += "$(shell dpkg-buildflags --get CXXFLAGS | sed -e s/-g// | sed -e s/-O[0-3]//g) $(shell dpkg-buildflags --get CPPFLAGS) $(shell dpkg-buildflags --+
 # Build python depends from current python version
 PYMAJOR:=$(shell python -c "import sys; print sys.version_info[0]")
 PYMINOR:=$(shell python -c "import sys; print sys.version_info[1]")

seems to work at least for compiling, linking doesn't get the LDFLAGS, though.

Looks like we need to patch the makefiles directly, like debian-opt.diff ;-)

Regards,

Rene