On Sun, Aug 05, 2018 at 03:54:23PM -0300, Herbert Fortes wrote:
Sorry, but can you please add to debian/rules:
export DEB_LDFLAGS_MAINT_APPEND = -fPIE -pie
export DEB_CFLAGS_MAINT_APPEND = -fPIE
Why?
Becauso of 'blhc --all'
I'm sorry but that's not a valid reason.
Can you tell me why not?
Sure.
First of all, you should never do some change because some static analyzer
told you. You need to understand what did it tell you, why, and why it
thinks you should do that change.
blhc just analyzes build logs to make sure all expected flags are passed.
"--all Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected."
So if you use --all you either know that the package should pass the flags
for both pie and bindnow or must ignore the respective blhc warnings.
dpkg-buildflags(1) says that the pie hardening option has no effect on
most architectures, as it's enabled in gcc, so no flags are passed.
In such situations you need to check the result, in this case check
whether the binary has PIE enabled, not just blindly follow an
incorrectly used static analyzer (and even then you need to find out the
problem and not just pass some compiler/linker flags).