[PATCH] debian: enable build hardening features

classic Classic list List threaded Threaded
2 messages Options
Daniel Kahn Gillmor Daniel Kahn Gillmor
Reply | Threaded
Open this post in threaded view
|

[PATCH] debian: enable build hardening features

Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise.  The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.

See https://wiki.debian.org/Hardening for more details.

Signed-off-by: Daniel Kahn Gillmor <[hidden email]>
---
 debian/rules | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/rules b/debian/rules
index d056edb6..ebd10481 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
 
 python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 %:
  dh $@ --with python2,python3,elpa
 
--
2.20.1

_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch
David Bremner-2 David Bremner-2
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] debian: enable build hardening features

Daniel Kahn Gillmor <[hidden email]> writes:

> Debian's build hardening toolchain options produce binary artifacts
> that are more resistant to compromise.  The most visible change for
> notmuch today is likely to be the addition of the "bindnow" linker
> flag, which contributes to making the "Global Offset Table" fully
> read-only.
>

pushed to master.

d
_______________________________________________
notmuch mailing list
[hidden email]
https://notmuchmail.org/mailman/listinfo/notmuch