From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 10 Jun 2019 01:35:03 +0000 (+0300)
Subject: debian: enable build hardening features
X-Git-Tag: archive/debian/0.30_rc0-1~177
X-Git-Url: https://git.cworth.org/git?a=commitdiff_plain;h=cd733b079f7038d73cbaa88fa5ade40794f670bd;p=notmuch-old

debian: enable build hardening features

Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise.  The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.

See https://wiki.debian.org/Hardening for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---

diff --git a/debian/rules b/debian/rules
index d056edb6..ebd10481 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
 
 python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 %:
 	dh $@ --with python2,python3,elpa