Would it be that you need this? DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk
-- =Do- N.AND 2013/6/25 Ritesh Raj Sarraf <r...@debian.org>: > Hi, > > Following the Hardening wiki, I have build-dep the hardening-includes > package and enabled the hardening flags as follows : > > rrs@zan:/var/tmp/sg3-utils (build)$ cat debian/rules > #!/usr/bin/make -f > # debian/rules file for the sg3-utils package > > # This has to be exported to make some magic below work. > export DH_OPTIONS > > include /usr/share/hardening-includes/hardening.make > > CPPFLAGS:=$(shell dpkg-buildflags --get CPPFLAGS) > CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) > CXXFLAGS:=$(shell dpkg-buildflags --get CXXFLAGS) > LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) > > > But still, the hardening-check tool reports this: > > rrs@zan:/var/tmp/Debian-Build/Result$ hardening-check /usr/bin/sg_inq > /usr/bin/sg_inq: > Position Independent Executable: no, normal executable! > Stack protected: no, not found! > Fortify Source functions: no, only unprotected functions found! > Read-only relocations: no, not found! > Immediate binding: no, not found! > > any suggestion on what could have gone wrong? > > > Looking at the build log, I don't see the hardening flags being honored: > > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I ../include > -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c > sg_pt_linux.c -o sg_pt_linux.o >/dev/null 2>&1 > /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. > -I.. -I ../include -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall > -W -g -O2 -c -o sg_io_linux.lo sg_io_linux.c > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I ../include > -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c > sg_io_linux.c -fPIC -DPIC -o .libs/sg_io_linux.o > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I ../include > -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Wall -W -g -O2 -c > sg_io_linux.c -o sg_io_linux.o >/dev/null 2>&1 > > > > If I bump the debhelper version to > 9, I do see the correct build flags. > > -- > Given the large number of mailing lists I follow, I request you to CC me > in replies for quicker response > > -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cann5kotv8sfomaef34tai_fhpc4dn0tan_w18bsthoxpqzk...@mail.gmail.com