Kees Cook <k...@debian.org> writes: > First of all, in debian/rules:
> # Enable compiler hardening flags. > export DEB_BUILD_MAINT_OPTIONS = all > Was this intended to be: > export DEB_BUILD_MAINT_OPTIONS = hardening=all > This may cause trouble with the .so's -fPIC bits, so you can probably > leave the entire line off, unless you want to enable bindnow: > export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow Ack, yes, I did that completely incorrectly. Thank you. I'm fixing that now. hardening=+bindnow is indeed what I'm going to use, and I was just completely confused before. > However, as pointed out earlier in the bug, raw "memcpy()" is still > visible. This is, ultimately, because the code is performing a check > that neither the compile-time nor run-time code knows how to deal with > (i.e. a dynamically sized destination). In this case (and in the case of > being always safe at compile-time), the macros end up just using > memcpy() directly: Aha, okay. Thank you for the clarification! -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org