Le jeudi, 31 décembre 2020, 11.00:42 h CET Martin-Éric Racine a écrit : > Salut Didier, > > to 31. jouluk. 2020 klo 11.41 Didier 'OdyX' Raboud (odyx@debian.org) kirjoitti: > > Le vendredi, 25 décembre 2020, 12.58:39 h CET Martin-Éric Racine a écrit : > > > I've been maintaining CUPS-PDF ever since it entered Debian. > > > > > > Recently, Lintian has been giving all sorts of hints about enabling > > > hardening. Bug reports at Debian and at derivatives suggest that some > > > of the hardening options might cause CUP-PDF to fail at writing files > > > to the expected destination. > > > > > > I was this wondering what sort of hardening options (if any) are used > > > for buiilding other CUPS printer drivers that require compiling? > > > > In terms of compilation hardening, this is what's used in CUPS: > > https://sources.debian.org/src/cups/2.3.3op1-4/debian/rules/#L7 > > > > # Enabling PIE globally doesn't work, but ./configure already enables PIE > > # where necessary. > > export DEB_BUILD_MAINT_OPTIONS = hardening=+all,-pie > > What you use as hardening options precisely is what interests me, but > not for building CUPS itself as much as for building binary CUPS > backends/drivers. > > I'm asking because, for instance, for an Xorg driver, I've had to > explicitly disable bindnow (DEB_BUILD_MAINT_OPTIONS = > hardening=+all,-bindnow), otherwise the driver cannot load X > extensions. cups-filters uses export DEB_BUILD_MAINT_OPTIONS = hardening=+all But others don't use hardening options at all I think. As far as I understand CUPS drivers, hardening options should have no effect on behaviour; CUPS doesn't dynamically load the drivers, it executes them and passes data through stdin/stdout from them. Best, OdyX
Attachment:
signature.asc
Description: This is a digitally signed message part.