2017-09-04 7:11 GMT-03:00 Simon Ruderich <si...@ruderich.org>: > On Thu, Aug 17, 2017 at 10:35:01AM -0300, Eriberto Mota wrote: >> Hi Simon, >> >> Thanks for your reply. I did a test over nload package and I think >> that blhc --debian is ignoring all lines with "PIE". I removed the >> option line from debian/rules file (export DEB_BUILD_MAINT_OPTIONS = >> hardening=+all). Without this line, was hoping to see it: >> >> LDFLAGS missing (-Wl,-z,now): g++ -g -O2 >> -fdebug-prefix-map=/PKGS/nload/nload-0.7.4=. -fstack-protector-strong >> -Wformat -Werror=format-security -Wall -Wl,-z,relro -s -o nload >> device.o devreader.o devreaderfactory.o form_field.o graph.o main.o >> opt_window.o screen.o setting.o settingfilter.o settingstore.o >> statistics.o stringutils.o traffic_window.o window.o >> devreader-linux.o devreader-linux-proc.o devreader-linux-sys.o >> -lform -lncurses >> >> However, I saw nothing with --debian. > > Hello Eriberto, > > Sorry again for the late reply.
Don't worry. You're welcome. > blhc doesn't check for bindnow (and PIE) per default unless you > use the --bindnow (or --all) option. I get the same output for > the following commands (which report the missing -Wl,-z,now): > > blhc --bindnow nload_0.7.4-2_amd64.build > blhc --bindnow --debian nload_0.7.4-2_amd64.build Hum... I can't see anything. These commands report nothing for me. > However with the --all option you are required to also specify > the --arch option to ignore "missing" PIE flags (or use a build > log which reports the architecture) as PIE is only injected by > gcc on certain architectures: > > blhc --arch=amd64 --all --debian nload_0.7.4-2_amd64.build Can you add these information to manpage and add a new example? Thanks! Cheers, Eriberto
