Hi All, 2016-09-03 8:24 GMT+02:00 Stuart Prescott <[email protected]>: > Hi Jonathon, > >> one proposed solution[1] is to add >> >> $(shell dpkg-buildflags --get LDFLAGS) >> >> to the LDFLAGS >> >> however, dpkg-buildflags does *not* add flags for bindnow by default[2], >> and the system needs additional configuration to add these.
There is an ongoing effort to make it the default: https://wiki.debian.org/Hardening/PIEByDefaultTransition Probably it would be a good idea to wait a few weeks to see if bindnow gets enabled by default before (instead of) updating all the packages. > > Buried elsewhere on the wiki page is that you also need to enable additional > hardening options for dpkg-buildflags to include bindnow. For lots of common > build systems, dh will actually already include dpkg-buildflags --get LDFLAGS > for you, the trick is to tell dpkg-buildflags to include yet more. > > Often, this is sufficient: > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all The change in defaults would make this currently needed addition obsolete. Cheers, Balint
