Hi Bernhard, Just to be clear, I only mentioned hardening at all because the Debian page about hardening has useful information about how to ensure the flags from dpkg-buildflags are being used. Apart from that, this bug has nothing to do with hardening.
> Using -ffile-prefix-map without the -fdebug-prefix-map makes the > embedded build path disappear, too. -ffile-prefix-map implies -fdebug-prefix-map … but given that -fdebug-prefix-map is enabled in dpkg right now, this means that rr is not honouring the values from dpkg-buildflags. The solution though is to ensure that all flags are being honoured. Then, implicitly, rr will become reproducible. Adding specific flags in the manner you are doing is not the right solution here I'm afraid. Absolutely useful for debugging, but it is not the right solution. > For these I added the -ffile-prefix-map additionally to the > -fdebug-prefix-map. > That raises the question if the -fdebug should be replaced by -ffile > in the hardening flags globally? [5] This is the plan and should hopefully change in a matter of weeks, if not days: https://lists.debian.org/debian-devel/2020/10/msg00222.html ... although this will have no bearing on rr based on what you have mentioned here, especially as rr is not obeying any dpkg-buildflags. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
