Hi again, Quoting Johannes Schauer (2014-03-18 01:03:27) > after having tried that and other things without avail I tried using > > export DEB_BUILD_HARDENING=1 > > in debian/rules. This enables hardening-wrapper and should thus work no matter > what goes wrong in the build system. Interestingly the problems remain. I > tried > running hardening-check manually on the generated binary: > > $ hardening-check ./obj-x86_64-linux-gnu/server/vcmiserver > ./obj-x86_64-linux-gnu/server/vcmiserver: > Position Independent Executable: yes > Stack protected: yes > Fortify Source functions: no, only unprotected functions found! > Read-only relocations: yes > Immediate binding: yes
turns out that the unprotected functions are probably false positives because "blhc --all" shows no output at all. This means that all hardening options are set during compilation. Here the verbose hardening-check output: Position Independent Executable: yes Stack protected: yes Fortify Source functions: no, only unprotected functions found! unprotected: memset unprotected: memmove unprotected: poll unprotected: memcpy Read-only relocations: yes Immediate binding: yes This is now produced without hardening-wrapper but instead by using export DEB_BUILD_MAINT_OPTIONS=hardening=+all in debian/rules. Turns out that the build system is actually not broken and passes all flags on just fine and no hackery with CMAKE_CXX_FLAGS or the like is needed. :) The fixed version has been uploaded to mentors. Now I need somebody to look over the packaging and a mentor :) cheers, josch -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140318174638.1302.16415@hoothoot