Re: Question: compiler options for CUPS modules?

[Martin-Éric Racine <martin-eric.racine@iki.fi>]

Salut Didier,

to 31. jouluk. 2020 klo 11.41 Didier 'OdyX' Raboud (odyx@debian.org) kirjoitti:
> Le vendredi, 25 décembre 2020, 12.58:39 h CET Martin-Éric Racine a écrit :
> > I've been maintaining CUPS-PDF ever since it entered Debian.
> >
> > Recently, Lintian has been giving all sorts of hints about enabling
> > hardening. Bug reports at Debian and at derivatives suggest that some
> > of the hardening options might cause CUP-PDF to fail at writing files
> > to the expected destination.
> >
> > I was this wondering what sort of hardening options (if any) are used
> > for buiilding other CUPS printer drivers that require compiling?
>
> In terms of compilation hardening, this is what's used in CUPS:
> https://sources.debian.org/src/cups/2.3.3op1-4/debian/rules/#L7
>
>   # Enabling PIE globally doesn't work, but ./configure already enables PIE
>   # where necessary.
>   export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie

What you use as hardening options precisely is what interests me, but
not for building CUPS itself as much as for building binary CUPS
backends/drivers.

I'm asking because, for instance, for an Xorg driver, I've had to
explicitly disable bindnow (DEB_BUILD_MAINT_OPTIONS =
hardening=+all,-bindnow), otherwise the driver cannot load X
extensions.

> In terms of runtime hardening, CUPS ships with an apparmor profile
> https://sources.debian.org/src/cups/2.3.3op1-4/debian/local/apparmor-profile/

I'm aware of that one. CUPS-PDF ships with comments in the config
file, in NEWS.Debian and in the package description to warn about
this. This is not what I was asking about.

Martin-Éric