[debian-mysql] Seeking hardening flag / blhc expoert

[Otto Kekäläinen]

Hello!

Is there any hardening flag / cmake expert around who could help me
get the hardening flags perfect in MariaDB 10.3?

Current state of build logs issues:
https://qa.debian.org/bls/packages/m/mariadb-10.3.html

The blhc tool currently outputs this:

$ blhc --debian --line-numbers --color ${WORKING_DIR}/*.build || [ $? -eq 1 ]
9962:CPPFLAGS missing (-D_FORTIFY_SOURCE=2):
/usr/lib/ccache/x86_64-linux-gnu-g++
-I/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy
-std=c++11 -g -O2 -fdebug-prefix-map=/tmp/building/package=.
-fstack-protector-strong -Wformat -Werror=format-security -pie -fPIC
-Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4
-fno-rtti -Wno-shadow -Wno-implicit-fallthrough -std=c++11
-Wno-missing-field-initializers -Wno-missing-field-initializers
-Wstrict-null-sentinel -Winit-self -Wswitch -Wtrampolines -Wlogical-op
-Wno-error=missing-format-attribute -Wno-error=maybe-uninitialized
-fno-rtti -fno-exceptions -Wno-error=nonnull-compare -Wpacked
-fno-omit-frame-pointer -Wno-error=strict-overflow -fexceptions
-Wextra -Wno-missing-noreturn -Wmissing-declarations -Wpointer-arith
-Wcast-align -O2 -g -DNDEBUG -fPIC -Wno-sign-compare
-Wno-unused-function -Wno-unused-parameter -fvisibility=hidden -fPIC
-o CMakeFiles/snappy.dir/snappy.cc.o -c
/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy/snappy.cc
9964:CPPFLAGS missing (-D_FORTIFY_SOURCE=2):
/usr/lib/ccache/x86_64-linux-gnu-g++
-I/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy
-std=c++11 -g -O2 -fdebug-prefix-map=/tmp/building/package=.
-fstack-protector-strong -Wformat -Werror=format-security -pie -fPIC
-Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4
-fno-rtti -Wno-shadow -Wno-implicit-fallthrough -std=c++11
-Wno-missing-field-initializers -Wno-missing-field-initializers
-Wstrict-null-sentinel -Winit-self -Wswitch -Wtrampolines -Wlogical-op
-Wno-error=missing-format-attribute -Wno-error=maybe-uninitialized
-fno-rtti -fno-exceptions -Wno-error=nonnull-compare -Wpacked
-fno-omit-frame-pointer -Wno-error=strict-overflow -fexceptions
-Wextra -Wno-missing-noreturn -Wmissing-declarations -Wpointer-arith
-Wcast-align -O2 -g -DNDEBUG -fPIC -Wno-sign-compare
-Wno-unused-function -Wno-unused-parameter -fvisibility=hidden -fPIC
-o CMakeFiles/snappy.dir/snappy-c.cc.o -c
/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy/snappy-c.cc
9966:CPPFLAGS missing (-D_FORTIFY_SOURCE=2):
/usr/lib/ccache/x86_64-linux-gnu-g++
-I/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy
-std=c++11 -g -O2 -fdebug-prefix-map=/tmp/building/package=.
-fstack-protector-strong -Wformat -Werror=format-security -pie -fPIC
-Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4
-fno-rtti -Wno-shadow -Wno-implicit-fallthrough -std=c++11
-Wno-missing-field-initializers -Wno-missing-field-initializers
-Wstrict-null-sentinel -Winit-self -Wswitch -Wtrampolines -Wlogical-op
-Wno-error=missing-format-attribute -Wno-error=maybe-uninitialized
-fno-rtti -fno-exceptions -Wno-error=nonnull-compare -Wpacked
-fno-omit-frame-pointer -Wno-error=strict-overflow -fexceptions
-Wextra -Wno-missing-noreturn -Wmissing-declarations -Wpointer-arith
-Wcast-align -O2 -g -DNDEBUG -fPIC -Wno-sign-compare
-Wno-unused-function -Wno-unused-parameter -fvisibility=hidden -fPIC
-o CMakeFiles/snappy.dir/snappy-sinksource.cc.o -c
/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy/snappy-sinksource.cc
9968:CPPFLAGS missing (-D_FORTIFY_SOURCE=2):
/usr/lib/ccache/x86_64-linux-gnu-g++
-I/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy
-std=c++11 -g -O2 -fdebug-prefix-map=/tmp/building/package=.
-fstack-protector-strong -Wformat -Werror=format-security -pie -fPIC
-Wl,-z,relro,-z,now -fstack-protector --param=ssp-buffer-size=4
-fno-rtti -Wno-shadow -Wno-implicit-fallthrough -std=c++11
-Wno-missing-field-initializers -Wno-missing-field-initializers
-Wstrict-null-sentinel -Winit-self -Wswitch -Wtrampolines -Wlogical-op
-Wno-error=missing-format-attribute -Wno-error=maybe-uninitialized
-fno-rtti -fno-exceptions -Wno-error=nonnull-compare -Wpacked
-fno-omit-frame-pointer -Wno-error=strict-overflow -fexceptions
-Wextra -Wno-missing-noreturn -Wmissing-declarations -Wpointer-arith
-Wcast-align -O2 -g -DNDEBUG -fPIC -Wno-sign-compare
-Wno-unused-function -Wno-unused-parameter -fvisibility=hidden -fPIC
-o CMakeFiles/snappy.dir/snappy-stubs-internal.cc.o -c
/tmp/building/package/builddir/storage/tokudb/PerconaFT/snappy/src/build_snappy/snappy-stubs-internal.cc

Full log at:
https://salsa.debian.org/mariadb-team/mariadb-10.3/-/jobs/153422

d/rules:
https://salsa.debian.org/mariadb-team/mariadb-10.3/blob/master/debian/rules