It seems that even though only `export DEB_BUILD_MAINT_OPTIONS =
hardening=+bindnow` is used in d/rules, the build runs with all
hardening flags [1].
Also can not spot any missing parts via checksec on the binary/process.
$ checksec --file=/sbin/agetty
RELRO STACK CANARY NX PIE RPATH
RUNPATH Symbols FORTIFY Fortified Fortifiable
FILE
Full RELRO Canary found NX enabled PIE enabled No
RPATH No RUNPATH No Symbols Yes 7 14
/sbin/agetty
[1]: see for example
https://buildd.debian.org/status/fetch.php?pkg=util-linux&arch=amd64&ver=2.34-0.1&stamp=1564330426&raw=0
the configure script reports using
cflags: -g -O2
-fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong
-Wformat -Werror=format-security
suid cflags:
ldflags: -Wl,-z,relro -Wl,-z,now
