Re: dpkg-buildflags bindnow
Hi All,
2016-09-03 8:24 GMT+02:00 Stuart Prescott <stuart@debian.org>:
> Hi Jonathon,
>
>> one proposed solution[1] is to add
>>
>> $(shell dpkg-buildflags --get LDFLAGS)
>>
>> to the LDFLAGS
>>
>> however, dpkg-buildflags does *not* add flags for bindnow by default[2],
>> and the system needs additional configuration to add these.
There is an ongoing effort to make it the default:
https://wiki.debian.org/Hardening/PIEByDefaultTransition
Probably it would be a good idea to wait a few weeks to see if bindnow gets
enabled by default before (instead of) updating all the packages.
>
> Buried elsewhere on the wiki page is that you also need to enable additional
> hardening options for dpkg-buildflags to include bindnow. For lots of common
> build systems, dh will actually already include dpkg-buildflags --get LDFLAGS
> for you, the trick is to tell dpkg-buildflags to include yet more.
>
> Often, this is sufficient:
>
> export DEB_BUILD_MAINT_OPTIONS = hardening=+all
The change in defaults would make this currently needed addition obsolete.
Cheers,
Balint
Reply to: