[PATCH] debian: enable build hardening features
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Jun 9 18:35:03 PDT 2019
Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise. The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.
See https://wiki.debian.org/Hardening for more details.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
debian/rules | 2 ++
1 file changed, 2 insertions(+)
diff --git a/debian/rules b/debian/rules
index d056edb6..ebd10481 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
%:
dh $@ --with python2,python3,elpa
--
2.20.1
More information about the notmuch
mailing list