On Sun, Aug 05, 2018 at 03:54:23PM -0300, Herbert Fortes wrote: > > > > > Sorry, but can you please add to debian/rules: > > > > > > > > > > export DEB_LDFLAGS_MAINT_APPEND = -fPIE -pie > > > > > export DEB_CFLAGS_MAINT_APPEND = -fPIE > > > > Why? > > > Becauso of 'blhc --all' > > I'm sorry but that's not a valid reason. > Can you tell me why not? Sure. First of all, you should never do some change because some static analyzer told you. You need to understand what did it tell you, why, and why it thinks you should do that change. blhc just analyzes build logs to make sure all expected flags are passed. "--all Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected." So if you use --all you either know that the package should pass the flags for both pie and bindnow or must ignore the respective blhc warnings. dpkg-buildflags(1) says that the pie hardening option has no effect on most architectures, as it's enabled in gcc, so no flags are passed. In such situations you need to check the result, in this case check whether the binary has PIE enabled, not just blindly follow an incorrectly used static analyzer (and even then you need to find out the problem and not just pass some compiler/linker flags).
> > What I know is just 'blhc' is enough. But why not > use '--all'? > > I do not know much about that and I can learn new > if you say a bit more. > > -- WBR, wRAR
signature.asc
Description: PGP signature
