Consider lines with -O0 or -Og debug builds.

[blhc/blhc.git] / README

diff --git a/README b/README
index e039ce99cf44634933be6ab14514929dc59f693b..5e58567bbf6899f0078a7af423ff3236c05aa2e5 100644 (file)
--- a/README
+++ b/README
@@ -101,11 +101,12 @@ following line (output of dpkg-buildpackage):
 The available hardening flags are adapted to the architecture because some
 architectures don't support certain hardening options.
 
-Some checks (Ada and hardening-wrapper at the moment) check the build
-dependencies for certain packages. The following lines are used to get the
-build dependencies. The first is used in buildd build logs, the second by
-pbuilder logs, both are detected:
+Some checks check the build dependencies for certain packages. The following
+lines are used to get the build dependencies. The first two are used in buildd
+build logs (the second was used in older logs), the third by pbuilder logs,
+all are detected:
 
+    Filtered Buildd-Depends: ...
     Build-Depends: ...
     Depends: ...
 
@@ -122,6 +123,10 @@ If it's not present no compiler commands are detected. In case you don't use
 dpkp-buildpackage but still want to check a build log, adding it as first line
 should work fine.
 
+To prevent false positives when checking debug builds, compiler lines
+containing '-OO' or '-Og' are considered debug builds and are not checked for
+'-O2', even though fortification doesn't work without '-O2'.
+
 The following non-verbose builds can't be detected:
 
     gcc -o test