[hardening-discuss] Bug#823869: please set build flags to expicit values, don't assume defaults
Matthias Klose
doko at debian.org
Mon May 9 19:47:09 UTC 2016
Package: dpkg,hardening-wrapper
With GCC 6 (and backported to GCC 5), GCC can be configured with
--enable-default-pie. DEB_BUILD_*OPTIONS allows explicit disabling of some
features, however with changed defaults, all these settings are a no-op.
Therefore please don't assume any defaults settings, but set these flags explicitly.
For this example, when seeing -pie, add -fno-PIE to C*FLAGS, -no-pie to LDFLAGS.
But also consider explicitly adding -O0 to C*FLAGS when noopt is passed. This
should apply to any feature are settable by DEB_BUILD_*OPTIONS.
More information about the hardening-discuss
mailing list