* [PATCH] debian: enable build hardening features
@ 2019-06-10 1:35 Daniel Kahn Gillmor
2019-06-11 10:33 ` David Bremner
0 siblings, 1 reply; 2+ messages in thread
From: Daniel Kahn Gillmor @ 2019-06-10 1:35 UTC (permalink / raw)
To: Notmuch Mail
Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise. The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.
See https://wiki.debian.org/Hardening for more details.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
debian/rules | 2 ++
1 file changed, 2 insertions(+)
diff --git a/debian/rules b/debian/rules
index d056edb6..ebd10481 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
%:
dh $@ --with python2,python3,elpa
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] debian: enable build hardening features
2019-06-10 1:35 [PATCH] debian: enable build hardening features Daniel Kahn Gillmor
@ 2019-06-11 10:33 ` David Bremner
0 siblings, 0 replies; 2+ messages in thread
From: David Bremner @ 2019-06-11 10:33 UTC (permalink / raw)
To: Daniel Kahn Gillmor, Notmuch Mail
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> Debian's build hardening toolchain options produce binary artifacts
> that are more resistant to compromise. The most visible change for
> notmuch today is likely to be the addition of the "bindnow" linker
> flag, which contributes to making the "Global Offset Table" fully
> read-only.
>
pushed to master.
d
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-11 10:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-10 1:35 [PATCH] debian: enable build hardening features Daniel Kahn Gillmor
2019-06-11 10:33 ` David Bremner
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).