+ # dpkg-buildflags only provides hardening flags since 1.16.1, don't check
+ # for hardening flags in buildd mode if an older dpkg-dev is used. Default
+ # flags (-g -O2) are still checked.
+ #
+ # Packages which were built before 1.16.1 but used their own hardening
+ # flags are not checked.
+ if ($option_buildd and not $start
+ and $line =~ /^Toolchain package versions: /) {
+ require Dpkg::Version;
+ if ($line !~ /dpkg-dev_(\S+)/
+ or Dpkg::Version::version_compare($1, '1.16.1') < 0) {
+ $harden_format = 0;
+ $harden_fortify = 0;
+ $harden_stack = 0;
+ $harden_relro = 0;
+ $harden_bindnow = 0;
+ $harden_pie = 0;
+ }
+ }
+
+ # We skip over unimportant lines at the beginning of the log to prevent
+ # false positives.