Bug#656643: Hardened build flags
tag 656643 + pending
thanks
On Fri, Mar 02, 2012 at 09:11:32AM +0100, Rene Engelhard wrote:
> Looks like we need to patch the makefiles directly, like debian-opt.diff ;-)
Looks I got it now (except for external libraries embedded in the code..):
diff --git a/changelog b/changelog
index 24a7595..bc3c20a 100644
--- a/changelog
+++ b/changelog
@@ -30,8 +30,10 @@ libreoffice (1:3.5.1~rc1-1) UNRELEASED; urgency=low
libc0.1-dev (= 2.13-26) [kfreebsd-i386 kfreebsd-amd64]
* debian/control.mozilla.in: stricten dependencies to 3.5, thanks
Mario Holbe for the observation
+ * debian/rules, debian/patches/hardened-LDFLAGS.diff: use hardened
+ buildflags from dpkg-buildflags (closes: #656643)
- -- Rene Engelhard <rene@debian.org> Wed, 29 Feb 2012 22:40:38 +0100
+ -- Rene Engelhard <rene@debian.org> Fri, 02 Mar 2012 20:46:23 +0100
libreoffice (1:3.5.0-2) experimental; urgency=low
diff --git a/patches/hardened-LDFLAGS.diff b/patches/hardened-LDFLAGS.diff
new file mode 100644
index 0000000..c033fad
--- /dev/null
+++ b/patches/hardened-LDFLAGS.diff
@@ -0,0 +1,26 @@
+diff --git a/solenv/gbuild/LinkTarget.mk b/solenv/gbuild/LinkTarget.mk
+index c094bb4..a0608f4 100644
+--- a/solenv/gbuild/LinkTarget.mk
++++ b/solenv/gbuild/LinkTarget.mk
+@@ -46,6 +46,8 @@ CXXFLAGS ?= $(gb_COMPILEROPTFLAGS)
+ OBJCXXFLAGS ?= $(gb_COMPILEROPTFLAGS)
+ endif
+
++LDFLAGS += "$(shell dpkg-buildflags --get LDFLAGS)"
++
+ # if enabled we link all of these libraries into one larger, merged library
+ # for which we can do a lot more optimisation, and which is faster to read
+ # from disk.
+diff --git a/solenv/inc/unxgcc.mk b/solenv/inc/unxgcc.mk
+index a3231a6..5a63144 100644
+--- a/solenv/inc/unxgcc.mk
++++ b/solenv/inc/unxgcc.mk
+@@ -233,6 +233,8 @@ LINKFLAGS += -Wl,--hash-style=$(WITH_LINKER_HASH_STYLE)
+ LINKFLAGS += -Wl,-zdynsort
+ .ENDIF
+
++LINKFLAGS += "$(shell dpkg-buildflags --get LDFLAGS)"
++
+ # libraries for linking applications
+ STDLIBGUIMT+=-Wl,--as-needed $(DL_LIB) $(PTHREAD_LIBS) -lm -Wl,--no-as-needed
+ STDLIBCUIMT+=-Wl,--as-needed $(DL_LIB) $(PTHREAD_LIBS) -lm -Wl,--no-as-needed
diff --git a/patches/series b/patches/series
index 8d16f49..3454ed3 100644
--- a/patches/series
+++ b/patches/series
@@ -31,3 +31,4 @@ move-binfilter-mimetypes-in-extra-desktop-file.diff
pythonloader.uno.so-libpyuno-and-pyuno-are-duplicate.diff
armhf-bridges-doubles.diff
nsplugin-fix-SimpleFileAccess-instance.diff
+hardened-LDFLAGS.diff
diff --git a/rules b/rules
index b7be177..a68501b 100755
--- a/rules
+++ b/rules
@@ -633,6 +633,9 @@ ifeq (noopt,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
ARCH_FLAGS += -O0
endif
+# for the hardened build flags. LDFLAGS is done in hardeded-LDFLAGS.diff
+ARCH_FLAGS += "$(shell dpkg-buildflags --get CXXFLAGS | sed -e s/-g// | sed -e s/-O[0-3]//g) $(shell dpkg-buildflags --get CPPFLAGS)"
+
# Build python depends from current python version
PYMAJOR:=$(shell python -c "import sys; print sys.version_info[0]")
PYMINOR:=$(shell python -c "import sys; print sys.version_info[1]")
Regards,
Rene
Reply to: