We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening Options 作为打包构建系统需要关注的部分,应该尽可能
在 nix 中: 可以通过 hardeningDisable/hardeningEnable 禁用/启用相关参数
比如 format 对应 “-Wformat -Wformat-security -Werror=format-security” ,该参数默认开启,但是遇到个别软件 -Wformat-security 会编译失败可以使用 hardeningDisable = [ "format" ] 关闭
在 debain 中:
同样支持类似分组,写法类似: DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify https://github.com/deepin-community/vlc/blob/c35c1a5400f55bd4f130d77e29c9cd9adbce1506/debian/rules#L3
此外还支持 DEB_BUILD_HARDENING_FORMAT 等环境变量设置
相关文档: wiki.debian.org/Hardening wiki.ubuntu.com/Security/Features wiki.archlinux.org/title/Security wiki.gentoo.org/wiki/Project:Hardened nixos.org/manual/nixpkgs/stable/#sec-hardening-in-nixpkgs
应该参考其他发行版打包对 Hardening 的要求,对相关编译参数进一步封装
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Hardening Options 作为打包构建系统需要关注的部分,应该尽可能
在 nix 中:
可以通过 hardeningDisable/hardeningEnable 禁用/启用相关参数
比如 format 对应 “-Wformat -Wformat-security -Werror=format-security” ,该参数默认开启,但是遇到个别软件 -Wformat-security 会编译失败可以使用 hardeningDisable = [ "format" ] 关闭
在 debain 中:
同样支持类似分组,写法类似:
DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify
https://github.com/deepin-community/vlc/blob/c35c1a5400f55bd4f130d77e29c9cd9adbce1506/debian/rules#L3
此外还支持 DEB_BUILD_HARDENING_FORMAT 等环境变量设置
相关文档:
wiki.debian.org/Hardening
wiki.ubuntu.com/Security/Features
wiki.archlinux.org/title/Security
wiki.gentoo.org/wiki/Project:Hardened
nixos.org/manual/nixpkgs/stable/#sec-hardening-in-nixpkgs
应该参考其他发行版打包对 Hardening 的要求,对相关编译参数进一步封装
The text was updated successfully, but these errors were encountered: