[pkg-sec] Help with CFLAGS/LDFLAGS on t50
Marcos Fouces
mfouces at yahoo.es
Tue Jun 20 21:57:21 UTC 2017
Hello Samuel and team,
i suggest not to patch configure.ac. Upstream considered the patch we
created for earlier versions of t50 and improved the configure scripts.
Lintian does not complaint about missing flags so (AFAIK) one can safely
suppose that all pertinent hardening flags are applied and there is no
need to patch sources anymore in order to inject more flags.
This is the reason that lead me to drop the previous patch and i suggest
that you should upload without it.
BTW, i was wondering if we could remove "Architecture: linux-any" field
from control file. Perhaps the package builds also on Hurd and KFreebsd.
I decided not to do it because i cannot test the result.
Greeting,
Marcos
El 20/06/17 a las 19:23, Lukas Schwaighofer escribió:
> Hi Samuel,
>
> I agree with Gianfranco regarding PIE. However, looking at the compile
> flags, I found that the configure script adds the following to the
> CFLAGS (with your gcc_flags.patch applied):
>
> CFLAGS+=" -s -DNDEBUG -fno-stack-protector"
>
> These options come after the "-g" and "-fstack-protector-strong" added
> by dpkg-buildflags and disable both of them.
>
> You should definitely remove "-s" (for the dbgsym package, the symbols
> will be stripped from the binary package automatically).
>
> You probably should also remove "-fno-stack-protector" (although there
> may be a reason why this was added by upstream…).
>
> Regards
> Lukas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170620/f8ada845/attachment.html>
More information about the Pkg-security-team
mailing list