X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=bin%2Fblhc;h=b51d18653d0dfca5cd1c270683ba17e6ed7ce5ef;hb=56ec5b40a99b961306fb0ae1a16cd1b66c351cf8;hp=cfdcbba0fd103770b0b0a068d56fe0c1223083c5;hpb=290a8e3484c700ebb91c3460820310e03ca38cb2;p=blhc%2Fblhc.git

diff --git a/bin/blhc b/bin/blhc
index cfdcbba..b51d186 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -2,7 +2,7 @@
 
 # Build log hardening check, checks build logs for missing hardening flags.
 
-# Copyright (C) 2012-2017  Simon Ruderich
+# Copyright (C) 2012-2018  Simon Ruderich
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -602,6 +602,7 @@ my @option_ignore_arch_line = ();
 my $option_all              = 0;
 my $option_arch             = undef;
 my $option_buildd           = 0;
+my $option_debian           = 0;
    $option_color            = 0;
 if (not Getopt::Long::GetOptions(
             'help|h|?'           => \$option_help,
@@ -620,6 +621,7 @@ if (not Getopt::Long::GetOptions(
             'color'              => \$option_color,
             'arch=s'             => \$option_arch,
             'buildd'             => \$option_buildd,
+            'debian'             => \$option_debian,
         )) {
     require Pod::Usage;
     Pod::Usage::pod2usage(2);
@@ -630,7 +632,7 @@ if ($option_help) {
 }
 if ($option_version) {
     print <<"EOF";
-blhc $VERSION  Copyright (C) 2012-2017  Simon Ruderich
+blhc $VERSION  Copyright (C) 2012-2018  Simon Ruderich
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -751,8 +753,11 @@ foreach my $file (@ARGV) {
     my $parallel = 10;
 
     # Don't check for PIE flags if automatically applied by the compiler. Only
-    # used in buildd mode.
+    # used in buildd and Debian mode.
     my $disable_harden_pie = 0;
+    if ($option_debian) {
+        $disable_harden_pie = 1;
+    }
 
     while (my $line = <$fh>) {
         # Detect architecture automatically unless overridden. For buildd logs
@@ -1488,6 +1493,12 @@ error).
 
 =back
 
+=item B<--debian>
+
+Apply Debian-specific settings. At the moment this only disables checking for
+PIE which is automatically applied by Debian's GCC and no longer requires a
+compiler command line argument.
+
 =item B<--color>
 
 Use colored (ANSI) output for warning messages.
@@ -1575,6 +1586,13 @@ Use blhc with pbuilder.
     pbuilder path/to/package.dsc | tee path/log/file
     blhc path/to/file || echo flags missing
 
+Assume this build log was created on a Debian system and thus don't warn about
+missing PIE flags if the current architecture injects them automatically (this
+is enabled in buildd mode per default). C<--arch> is necessary if the build
+log contains no architecture information as written by dpkg-buildpackage.
+
+    blhc --debian --all --arch=amd64 path/to/log/file
+
 =head1 BUILDD TAGS
 
 The following tags are used in I<--buildd> mode. In braces the additional data
@@ -1669,7 +1687,7 @@ E<lt>jari.aalto@cante.netE<gt> for their valuable input and suggestions.
 
 =head1 LICENSE AND COPYRIGHT
 
-Copyright (C) 2012-2017 by Simon Ruderich
+Copyright (C) 2012-2018 by Simon Ruderich
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by