On Thu, Aug 17, 2017 at 10:35:01AM -0300, Eriberto Mota wrote: > Hi Simon, > > Thanks for your reply. I did a test over nload package and I think > that blhc --debian is ignoring all lines with "PIE". I removed the > option line from debian/rules file (export DEB_BUILD_MAINT_OPTIONS = > hardening=+all). Without this line, was hoping to see it: > > LDFLAGS missing (-Wl,-z,now): g++ -g -O2 > -fdebug-prefix-map=/PKGS/nload/nload-0.7.4=. -fstack-protector-strong > -Wformat -Werror=format-security -Wall -Wl,-z,relro -s -o nload > device.o devreader.o devreaderfactory.o form_field.o graph.o main.o > opt_window.o screen.o setting.o settingfilter.o settingstore.o > statistics.o stringutils.o traffic_window.o window.o > devreader-linux.o devreader-linux-proc.o devreader-linux-sys.o > -lform -lncurses > > However, I saw nothing with --debian.
Hello Eriberto,
Sorry again for the late reply.
blhc doesn't check for bindnow (and PIE) per default unless you
use the --bindnow (or --all) option. I get the same output for
the following commands (which report the missing -Wl,-z,now):
blhc --bindnow nload_0.7.4-2_amd64.build
blhc --bindnow --debian nload_0.7.4-2_amd64.build
However with the --all option you are required to also specify
the --arch option to ignore "missing" PIE flags (or use a build
log which reports the architecture) as PIE is only injected by
gcc on certain architectures:
blhc --arch=amd64 --all --debian nload_0.7.4-2_amd64.build
Regards
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: PGP signature
