package: dpkg-dev severity: minor version: 1.19.0.5 tag: patch I found the manpage a bit unclear when it comes to handling of the pie hardening option. Attached is a proposed rewording.
Best wishes, Mike
--- a/dpkg-buildflags.man 2018-01-17 00:49:03.000000000 +0000 +++ b/dpkg-buildflags.man 2018-05-25 22:13:52.545996804 +0000 @@ -390,15 +390,16 @@ . .TP .B pie -This setting (with no default since dpkg 1.18.23, and injected by default -by gcc on the amd64, arm64, armel, armhf, i386, kfreebsd-amd64, kfreebsd-i386, -mips, mipsel, mips64el, ppc64el, s390x, sparc and sparc64 Debian architectures) -adds the required options via gcc specs files if -needed to enable or disable PIE. When enabled and injected by gcc, -adds nothing. When enabled and not injected by gcc, adds \fB\-fPIE\fP +Since dpkg 1.8.23, this setting does nothing when enabled if gcc is +built with \-\-enable\-default\-pie (on amd64, arm64, armel, armhf, i386, +kfreebsd-amd64, kfreebsd-i386, mips, mipsel, mips64el, ppc64el, s390x, +sparc and sparc64 Debian architectures currently). When this setting is +disabled, /usr/share/dpkg/no-pie-compile.specs is used to disable pie. + +When gcc is not built with \-\-enable\-default\-pie, adds \fB\-fPIE\fP to \fBCFLAGS\fP, \fBCXXFLAGS\fP, \fBOBJCFLAGS\fP, \fBOBJCXXFLAGS\fP, \fBGCJFLAGS\fP, \fBFFLAGS\fP and \fBFCFLAGS\fP, and \fB\-fPIE \-pie\fP -to \fBLDFLAGS\fP. When disabled and injected by gcc, adds \fB\-fno\-PIE\fP +to \fBLDFLAGS\fP. When disabled, adds \fB\-fno\-PIE\fP to \fBCFLAGS\fP, \fBCXXFLAGS\fP, \fBOBJCFLAGS\fP, \fBOBJCXXFLAGS\fP, \fBGCJFLAGS\fP, \fBFFLAGS\fP and \fBFCFLAGS\fP, and \fB\-fno\-PIE \-no\-pie\fP to \fBLDFLAGS\fP.
