On Tue, Feb 14, 2023 at 05:07:49PM +0200, Peter Pentchev wrote: > Right, when I said "record the compiler flags", I did not mean "and always > pass them on verbatim". I think you may already know this, since you talk > about Python, but yeah, in Python's case things are really not that simple. > This command: > > python3 -c 'import pprint; import sysconfig; pprint.pp(dict(item for item > in sysconfig.get_config_vars().items() if "CFLAGS" in item[0]));' > > ...displays all of the "system configuration variables" (pretty much exactly > things recorded at Python build time) that have "CFLAGS" in their name, and > at least with Python 3.11 in testing, there are *a lot* of those. Some of them > are obviously module-specific configuration for the various Python standard > library modules, but there are others, too. > > Other systems record compiler (and linker, etc) flags with different > granularity, > but yes, you are correct that it makes a lot of sense to take care what is > recorded and how.
Indeed. FWIW what we do with Perl is to filter away those flags that come from dpkg-buildflags [1], but record the others. The dpkg-buildflags ones get passed into XS module package builds separately by debhelper, so packages can individually opt out of things like hardening if necessary via the normal interface (DEB_BUILD_MAINT_OPTIONS etc.) There's some background that led to this in #657853 . Some important flags that really need to be recorded are those that affect the Perl <> XS module binary interface, in particular the LFS ones (-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64). [1] https://sources.debian.org/src/perl/5.36.0-7/debian/rules/#L182 -- Niko Tyni nt...@debian.org