Re: dpkg-buildflags bindnow

To: Jonathon Love <jon@thon.love>
Cc: Debian Science List <debian-science@lists.debian.org>
Subject: Re: dpkg-buildflags bindnow
From: Bálint Réczey <balint@balintreczey.hu>
Date: Fri, 30 Sep 2016 16:47:39 +0200
Message-id: <[🔎] CAK0OdpzszixtXbxPtOCB=AnFpMyaE6zwWCBT5PE-2FjR7T6tGg@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 2001833.FAaRDCeSx7@jatayu>
References: <[🔎] b1d50b63-308a-4bf0-24db-4246e8ac9303@thon.love> <[🔎] 2001833.FAaRDCeSx7@jatayu>

Hi All,

2016-09-03 8:24 GMT+02:00 Stuart Prescott <stuart@debian.org>:
> Hi Jonathon,
>
>> one proposed solution[1] is to add
>>
>>      $(shell dpkg-buildflags --get LDFLAGS)
>>
>> to the LDFLAGS
>>
>> however, dpkg-buildflags does *not* add flags for bindnow by default[2],
>> and the system needs additional configuration to add these.

There is an ongoing effort to make it the default:
https://wiki.debian.org/Hardening/PIEByDefaultTransition

Probably it would be a good idea to wait a few weeks to see if bindnow gets
enabled by default before (instead of) updating all the packages.

>
> Buried elsewhere on the wiki page is that you also need to enable additional
> hardening options for dpkg-buildflags to include bindnow. For lots of common
> build systems, dh will actually already include dpkg-buildflags --get LDFLAGS
> for you, the trick is to tell dpkg-buildflags to include yet more.
>
> Often, this is sufficient:
>
>         export DEB_BUILD_MAINT_OPTIONS = hardening=+all

The change in defaults would make this currently needed addition obsolete.

Cheers,
Balint

Reply to:

References:
- dpkg-buildflags bindnow
  - From: Jonathon Love <jon@thon.love>
- Re: dpkg-buildflags bindnow
  - From: Stuart Prescott <stuart@debian.org>

Prev by Date: Re: Debhelper for R packages
Previous by thread: Re: dpkg-buildflags bindnow
Next by thread: r-cran-rprotobuf 0.4.5-1 ready for upload
Index(es):
- Date
- Thread