dpkg-buildflags


SYNOPSIS
       dpkg-buildflags [option...] [command]

DESCRIPTION
       dpkg-buildflags  is  a tool to retrieve compilation flags to use during
       build of Debian packages.  The default flags are defined by the  vendor
       but they can be extended/overriden in several ways:

       1.     system-wide with /etc/dpkg/buildflags.conf;

       2.     for  the current user with $XDG_CONFIG_HOME/dpkg/buildflags.conf
              where $XDG_CONFIG_HOME defaults to $HOME/.config;

       3.     temporarily by the user with environment variables (see  section
              ENVIRONMENT);

       4.     dynamically by the package maintainer with environment variables
              set via debian/rules (see section ENVIRONMENT).

       The configuration files can contain two types of directives:

       SET flag value
              Override the flag named flag to have the value value.

       STRIP flag value
              Strip from the flag named flag all the  build  flags  listed  in
              value.

       APPEND flag value
              Extend  the  flag  named  flag by appending the options given in
              value.  A space is prepended to the appended value if the flag's
              current value is non-empty.

       PREPEND flag value
              Extend  the  flag  named flag by prepending the options given in
              value.  A space is appended to the prepended value if the flag's
              current value is non-empty.

       The  configuration  files can contain comments on lines starting with a
       hash (#). Empty lines are also ignored.

COMMANDS
       --dump Print to standard output all compilation flags and their values.
              It prints one flag per line separated from its value by an equal
              sign ("flag=value"). This is the default action.

       --list Print the list of flags supported by the current vendor (one per
              line).  See  the  SUPPORTED  FLAGS  section for more information
              about them.

       --export=format
              Print to standard output shell (if format is  sh)  or  make  (if
              format is make) commands that can be used to export all the com-
              with 0 if the flag is known otherwise exits with 1.  The  origin
              can be one of the following values:

              vendor the original flag set by the vendor is returned;

              system the flag is set/modified by a system-wide configuration;

              user   the  flag  is  set/modified by a user-specific configura-
                     tion;

              env    the flag is set/modified by an environment-specific  con-
                     figuration.

       --help Show the usage message and exit.

       --version
              Show the version and exit.

SUPPORTED FLAGS
       CFLAGS Options  for the C compiler. The default value set by the vendor
              includes -g and the default optimization level (-O2 usually,  or
              -O0   if  the  DEB_BUILD_OPTIONS  environment  variable  defines
              noopt).

       CPPFLAGS
              Options for the C preprocessor. Default value: empty.

       CXXFLAGS
              Options for the C++ compiler. Same as CFLAGS.

       FFLAGS Options for the Fortran compiler. Same as CFLAGS.

       LDFLAGS
              Options passed to  the  compiler  when  linking  executables  or
              shared objects (if the linker is called directly, then -Wl and ,
              have to be stripped from these options). Default value: empty.

FILES
       /etc/dpkg/buildflags.conf
              System wide configuration file.

       $XDG_CONFIG_HOME/dpkg/buildflags.conf   or    $HOME/.config/dpkg/build-
       flags.conf
              User configuration file.

ENVIRONMENT
       There  are  2  sets of environment variables doing the same operations,
       the first one (DEB_flag_op) should never be used  within  debian/rules.
       It's  meant  for any user that wants to rebuild the source package with
       different build flags. The second set (DEB_flag_MAINT_op)  should  only
       be  used in debian/rules by package maintainers to change the resulting
       build flags.

       DEB_flag_SET
              This variable can be used to append supplementary options to the
              value returned for the given flag.

       DEB_flag_PREPEND
       DEB_flag_MAINT_PREPEND
              This variable can be used to prepend  supplementary  options  to
              the value returned for the given flag.

       DEB_BUILD_MAINT_OPTIONS
              This  variable  can  be used to disable/enable various hardening
              build flags through the hardening option. See the HARDENING sec-
              tion for details.

HARDENING
       Several  compile-time  options  (detailed  below)  can  be used to help
       harden a resulting binary against memory corruption attacks, or provide
       additional  warning messages during compilation. Except as noted below,
       these are enabled by default for architectures that support them.

       Each  hardening  feature  can  be   enabled   and   disabled   in   the
       DEB_BUILD_MAINT_OPTIONS environment variable's hardening value with the
       "+" and "-" modifier. For example, to enable the "pie" feature and dis-
       able the "fortify" feature you can do this in debian/rules:

         export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify

       The  special feature all can be used to enable or disable all hardening
       features at the same time. Thus disabling everything and enabling  only
       "format" and "fortify" can be achieved with:

         export DEB_BUILD_MAINT_OPTIONS=hardening=-all,+format,+fortify

       format This  setting  (enabled by default) adds -Wformat -Wformat-secu-
              rity -Werror=format-security to CFLAGS and CXXFLAGS.  This  will
              warn  about improper format string uses, and will fail when for-
              mat functions are used in a way  that  that  represent  possible
              security  problems. At present, this warns about calls to printf
              and scanf functions where the format string is not a string lit-
              eral  and  there  are  no  format  arguments, as in printf(foo);
              instead of printf("%s", foo); This may be a security hole if the
              format string came from untrusted input and contains "%n".

       fortify
              This  setting  (enabled  by default) adds -D_FORTIFY_SOURCE=2 to
              CPPFLAGS. During code generation the compiler knows a great deal
              of information about buffer sizes (where possible), and attempts
              to replace insecure unlimited length buffer function calls  with
              length-limited  ones.  This is especially useful for old, crufty
              code.  Additionally, format strings in writable memory that con-
              tain  '%n' are blocked. If an application depends on such a for-
              mat string, it will need to be worked around.

              Note that for this option to have any effect,  the  source  must
              also be compiled with -O1 or higher.

       relro  This setting (enabled by default) adds -Wl,-z,relro to  LDFLAGS.
              During  program  load,  several  ELF  memory sections need to be
              written to by the linker. This flags the loader  to  turn  these
              sections  read-only  before turning over control to the program.
              Most notably this prevents GOT overwrite attacks.

       bindnow
              This setting (disabled by default) adds -Wl,-z,now  to  LDFLAGS.
              During  program load, all dynamic symbols are resolved, allowing
              for the entire PLT to be marked read-only (due to relro above).

       pie    This setting (disabled by default)  adds  -fPIE  to  CFLAGS  and
              CXXFLAGS,  and  -fPIE -pie to LDFLAGS. Position Independent Exe-
              cutable are needed to take advantage  of  Address  Space  Layout
              Randomization, supported by some kernel versions. While ASLR can
              already be enforced for data areas in the stack  and  heap  (brk
              and  mmap), the code areas must be compiled as position-indepen-
              dent. Shared libraries already do this  (-fPIC),  so  they  gain
              ASLR  automatically,  but  binary .text regions need to be build
              PIE to gain ASLR. When this happens, ROP (Return  Oriented  Pro-
              gramming)  attacks  are  much  harder  since there are no static
              locations to bounce off of during a memory corruption attack.

              This is not compatible with -fPIC so care  must  be  taken  when
              building shared objects.

              Additionally,  since  PIE is implemented via a general register,
              some architectures  (most  notably  i386)  can  see  performance
              losses of up to 15% in very text-segment-heavy application work-
              loads; most workloads see less than 1%. Architectures with  more
              general  registers  (e.g. amd64) do not see as high a worst-case
              penalty.

AUTHOR
       Copyright (C) 2010-2011 Raphael Hertzog

       Copyright (C) 2011 Kees Cook

       This is free software; see the GNU General Public Licence version 2  or
       later for copying conditions. There is NO WARRANTY.




Debian Project                    2011-09-13                dpkg-buildflags(1)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2017 Hurricane Electric. All Rights Reserved.