commit 6378afdeb4e15607bedebe5270137657c7961be7 Author: Nicolas Vigier boklm@torproject.org Date: Tue May 30 14:51:46 2017 +0200
Bug 22444: use hardening-wrapper when building gcc for the Linux build --- projects/gcc/build | 11 +++++++++++ projects/gcc/config | 2 ++ 2 files changed, 13 insertions(+)
diff --git a/projects/gcc/build b/projects/gcc/build index e509aac..e2902ad 100644 --- a/projects/gcc/build +++ b/projects/gcc/build @@ -1,6 +1,17 @@ #!/bin/sh [% c("var/set_default_env") -%] [% c("var/setarch") -%] +[% IF c("var/linux") -%] + # Config options for hardening-wrapper + export DEB_BUILD_HARDENING=1 + export DEB_BUILD_HARDENING_STACKPROTECTOR=1 + export DEB_BUILD_HARDENING_FORTIFY=1 + export DEB_BUILD_HARDENING_PIE=1 + # We need to disable `-Werror=format-security` as GCC does not build with it + # anymore. It seems it got audited for those problems already: + # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817. + export DEB_BUILD_HARDENING_FORMAT=0 +[% END -%] distdir=/var/tmp/dist/[% project %] mkdir /var/tmp/build tar -C /var/tmp/build -xf [% project %]-[% c("version") %].tar.bz2 diff --git a/projects/gcc/config b/projects/gcc/config index 3871455..d97afbf 100644 --- a/projects/gcc/config +++ b/projects/gcc/config @@ -47,12 +47,14 @@ targets: var: configure_opt: --enable-multilib --enable-languages=c,c++ --with-system-zlib arch_deps: + - hardening-wrapper - libc6-dev - zlib1g-dev linux-x86_64: var: configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686 arch_deps: + - hardening-wrapper - libc6-dev-i386 input_files: - project: container-image