Salut Didier, to 31. jouluk. 2020 klo 11.41 Didier 'OdyX' Raboud ([email protected]) kirjoitti: > Le vendredi, 25 décembre 2020, 12.58:39 h CET Martin-Éric Racine a écrit : > > I've been maintaining CUPS-PDF ever since it entered Debian. > > > > Recently, Lintian has been giving all sorts of hints about enabling > > hardening. Bug reports at Debian and at derivatives suggest that some > > of the hardening options might cause CUP-PDF to fail at writing files > > to the expected destination. > > > > I was this wondering what sort of hardening options (if any) are used > > for buiilding other CUPS printer drivers that require compiling? > > In terms of compilation hardening, this is what's used in CUPS: > https://sources.debian.org/src/cups/2.3.3op1-4/debian/rules/#L7 > > # Enabling PIE globally doesn't work, but ./configure already enables PIE > # where necessary. > export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
What you use as hardening options precisely is what interests me, but not for building CUPS itself as much as for building binary CUPS backends/drivers. I'm asking because, for instance, for an Xorg driver, I've had to explicitly disable bindnow (DEB_BUILD_MAINT_OPTIONS = hardening=+all,-bindnow), otherwise the driver cannot load X extensions. > In terms of runtime hardening, CUPS ships with an apparmor profile > https://sources.debian.org/src/cups/2.3.3op1-4/debian/local/apparmor-profile/ I'm aware of that one. CUPS-PDF ships with comments in the config file, in NEWS.Debian and in the package description to warn about this. This is not what I was asking about. Martin-Éric
