On Mon, Jun 10, 2024 at 04:06:13PM +0500, Andrey Rakhmatullin wrote: > Do you think it makes sense to add this a flag that enables -Werror=format > to dpkg-buildflags(1), before, or after a test rebuild, before, or after > the MBF if we do one?
I think that a test rebuild and the MBF are reasonable preconditions to extend the default build flags (and with default I mean changing hardening=+all). As multiple people pointed out, the effects of the flags are hard to predict and they can even cause misbuilds (via failing configure checks), so these flags do have a non-trivial cost (and benefits). Ideally, we'd not just do a rebuild with the flags, but also do a rebuild without and then compare the binary .debs. In the event that we misguide configure, we expect the .debs to differ and otherwise to equal due to the work of the reproducible builds folks. That equality has a really annoying difference in practice though: Build ids are dependent on the compiler flags, so the comparison would have to magically ignore changes in build id and this is where things become quite difficult. > Another related question: if not via dpkg-buildflags, how do we do > rebuilds with changed default flags? If you export DEB_CFLAGS_APPEND=-Werror=format=2 and DEB_CXXFLAGS_APPEND=-Werror=format=2 (not to be confused with DEB_*_MAINT_APPEND which is often set in d/rules), you should get most packages to pick up these flags. Possibly debusine.debian.net can be used to perform such a rebuild rather than using your own resources. Steering it to do this is a non-trivial task at present, but I my impression is that you will receive support in doing so and it can do native armhf builds (eliminating the need for cross builds). Your mileage will vary. In any case, my impression is that the first step towards changing hardening flags is actually performing test builds in whatever form. Helmut
