features are correctly used.
It's designed to check build logs generated by Debian's dpkg-buildpackage (or
-tools using dpkg-buildpackage like pbuilder or the official buildd build logs)
-to help maintainers detect missing hardening flags in their packages.
+tools using dpkg-buildpackage like pbuilder or sbuild (which is used for the
+official buildd build logs)) to help maintainers detect missing hardening
+flags in their packages.
At the moment it works only on Debian and derivatives but it should be easily
extendable to other systems as well. Patches are welcome.
The available hardening flags are adapted to the architecture because some
architectures don't support certain hardening options.
-Some checks (Ada and hardening-wrapper at the moment) check the build
-dependencies for certain packages. The following lines are used to get the
-build dependencies. The first is used in buildd build logs, the second by
-pbuilder logs, both are detected:
+Some checks check the build dependencies for certain packages. The following
+lines are used to get the build dependencies. The first two are used in buildd
+build logs (the second was used in older logs), the third by pbuilder logs,
+all are detected:
+ Filtered Buildd-Depends: ...
Build-Depends: ...
Depends: ...
dpkg-buildpackage: ...
If it's not present no compiler commands are detected. In case you don't use
-dpkp-buildpackage but still want to check a build log adding it as first line
+dpkp-buildpackage but still want to check a build log, adding it as first line
should work fine.
+To prevent false positives when checking debug builds, compiler lines
+containing '-OO' or '-Og' are considered debug builds and are not checked for
+'-O2', even though fortification doesn't work without '-O2'.
+
The following non-verbose builds can't be detected:
gcc -o test
ruderich.org/simon / blhc / blhc.git / blobdiff