Otto Kekäläinen <o...@debian.org> wrote: > I've read this section many times over but I don't get it. A > workaround is presented but since we are on a new debhelper it is > advised not to be used. It suggests using > /usr/share/dpkg/buildflags.mk but since we already call default.mk the > buildflags.mk should be included. There are some variables set, but > since the cmake command does not include them, changes in them does > not have an effect. There is no explanation about that flags do what > and which are the relevant ones, so blindly just defining everything > does not seem like a savvy solution.
CMake is a bit "special" in that regard. To get the right hardening flags to work for some parts of Bacula, we had to include the following patch to kind-of brute force the flags: https://salsa.debian.org/bacula-team/bacula/blob/master/debian/patches/debian/enable-hardening-for-qmake ,---- | --- a/src/qt-console/bat.pro.in | +++ b/src/qt-console/bat.pro.in | @@ -187,3 +187,9 @@ | QMAKE_EXTRA_TARGETS += depend | | TRANSLATIONS += ts/bat_fr.ts ts/bat_de.ts | + | +### See https://wiki.debian.org/Hardening#Notes_for_packages_using_QMake | +QMAKE_CPPFLAGS *= $(shell dpkg-buildflags --get CPPFLAGS) | +QMAKE_CFLAGS *= $(shell "dpkg-buildflags --get CFLAGS; dpkg-buildflags --get CPPFLAGS") | +QMAKE_CXXFLAGS *= $(shell "dpkg-buildflags --get CXXFLAGS; dpkg-buildflags --get CPPFLAGS") | +QMAKE_LFLAGS *= $(shell dpkg-buildflags --get LDFLAGS) `----[...] The rules file https://salsa.debian.org/bacula-team/bacula/blob/master/debian/rules just contains the usual: ,---- | # enable bindnow | # https://wiki.debian.org/HardeningWalkthrough | export DEB_BUILD_MAINT_OPTIONS = hardening=+all | | # avoid unnecessary linking | # https://wiki.debian.org/HardeningWalkthrough | export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed `---- Maybe this gives you a hint at what to do and where. S! -- Sigmentation fault. Core dumped.