Le jeudi, 31 décembre 2020, 11.00:42 h CET Martin-Éric Racine a écrit :
> Salut Didier,
>
> to 31. jouluk. 2020 klo 11.41 Didier 'OdyX' Raboud (odyx@debian.org)
kirjoitti:
> > Le vendredi, 25 décembre 2020, 12.58:39 h CET Martin-Éric Racine a écrit :
> > > I've been maintaining CUPS-PDF ever since it entered Debian.
> > >
> > > Recently, Lintian has been giving all sorts of hints about enabling
> > > hardening. Bug reports at Debian and at derivatives suggest that some
> > > of the hardening options might cause CUP-PDF to fail at writing files
> > > to the expected destination.
> > >
> > > I was this wondering what sort of hardening options (if any) are used
> > > for buiilding other CUPS printer drivers that require compiling?
> >
> > In terms of compilation hardening, this is what's used in CUPS:
> > https://sources.debian.org/src/cups/2.3.3op1-4/debian/rules/#L7
> >
> > # Enabling PIE globally doesn't work, but ./configure already enables PIE
> > # where necessary.
> > export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie
>
> What you use as hardening options precisely is what interests me, but
> not for building CUPS itself as much as for building binary CUPS
> backends/drivers.
>
> I'm asking because, for instance, for an Xorg driver, I've had to
> explicitly disable bindnow (DEB_BUILD_MAINT_OPTIONS =
> hardening=+all,-bindnow), otherwise the driver cannot load X
> extensions.
cups-filters uses
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
But others don't use hardening options at all I think. As far as I understand
CUPS drivers, hardening options should have no effect on behaviour; CUPS
doesn't dynamically load the drivers, it executes them and passes data through
stdin/stdout from them.
Best,
OdyXAttachment:
signature.asc
Description: This is a digitally signed message part.