Consider lines with -O0 or -Og debug builds.

[blhc/blhc.git] / README

diff --git a/README b/README
index e039ce99cf44634933be6ab14514929dc59f693b..5e58567bbf6899f0078a7af423ff3236c05aa2e5 100644 (file)
--- a/README
+++ b/README
@@ -101,11 +101,12 @@ following line (output of dpkg-buildpackage):
 The available hardening flags are adapted to the architecture because some
 architectures don't support certain hardening options.
 
 The available hardening flags are adapted to the architecture because some
 architectures don't support certain hardening options.
 

-Some checks (Ada and hardening-wrapper at the moment) check the build
-dependencies for certain packages. The following lines are used to get the
-build dependencies. The first is used in buildd build logs, the second by
-pbuilder logs, both are detected:
+Some checks check the build dependencies for certain packages. The following
+lines are used to get the build dependencies. The first two are used in buildd
+build logs (the second was used in older logs), the third by pbuilder logs,
+all are detected:

 
 

+    Filtered Buildd-Depends: ...

     Build-Depends: ...
     Depends: ...
 
     Build-Depends: ...
     Depends: ...
 


@@ -122,6 +123,10 @@ If it's not present no compiler commands are detected. In case you don't use
 dpkp-buildpackage but still want to check a build log, adding it as first line
 should work fine.
 
 dpkp-buildpackage but still want to check a build log, adding it as first line
 should work fine.
 

+To prevent false positives when checking debug builds, compiler lines
+containing '-OO' or '-Og' are considered debug builds and are not checked for
+'-O2', even though fortification doesn't work without '-O2'.
+

 The following non-verbose builds can't be detected:
 
     gcc -o test
 The following non-verbose builds can't be detected:
 
     gcc -o test