unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* [PATCH] debian: enable build hardening features
@ 2019-06-10  1:35 Daniel Kahn Gillmor
  2019-06-11 10:33 ` David Bremner
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel Kahn Gillmor @ 2019-06-10  1:35 UTC (permalink / raw)
  To: Notmuch Mail

Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise.  The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.

See https://wiki.debian.org/Hardening for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 debian/rules | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/rules b/debian/rules
index d056edb6..ebd10481 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
 
 python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 %:
 	dh $@ --with python2,python3,elpa
 
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] debian: enable build hardening features
  2019-06-10  1:35 [PATCH] debian: enable build hardening features Daniel Kahn Gillmor
@ 2019-06-11 10:33 ` David Bremner
  0 siblings, 0 replies; 2+ messages in thread
From: David Bremner @ 2019-06-11 10:33 UTC (permalink / raw)
  To: Daniel Kahn Gillmor, Notmuch Mail

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> Debian's build hardening toolchain options produce binary artifacts
> that are more resistant to compromise.  The most visible change for
> notmuch today is likely to be the addition of the "bindnow" linker
> flag, which contributes to making the "Global Offset Table" fully
> read-only.
>

pushed to master.

d

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-11 10:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-10  1:35 [PATCH] debian: enable build hardening features Daniel Kahn Gillmor
2019-06-11 10:33 ` David Bremner

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).