boklm pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
-
c606a927
by Nicolas Vigier at 2023-06-27T16:53:41+02:00
18 changed files:
- projects/binutils/build
- projects/binutils/config
- − projects/bison/build
- − projects/bison/config
- projects/cmake/build
- projects/container-image/config
- projects/firefox/build
- projects/firefox/config
- projects/firefox/mozconfig
- projects/gcc/build
- projects/gcc/config
- − projects/mmdebstrap-image/apt-key-allow-expired-key.patch
- projects/mmdebstrap-image/config
- projects/ninja/build
- projects/rust/build
- projects/sqlcipher/build
- projects/stemns/build
- rbm.conf
Changes:
... | ... | @@ -2,17 +2,7 @@ |
2 | 2 | [% c("var/set_default_env") -%]
|
3 | 3 | mkdir /var/tmp/dist
|
4 | 4 | distdir=/var/tmp/dist/binutils
|
5 | -[% IF c("var/linux") %]
|
|
6 | - # Config options for hardening-wrapper
|
|
7 | - export DEB_BUILD_HARDENING=1
|
|
8 | - export DEB_BUILD_HARDENING_STACKPROTECTOR=1
|
|
9 | - export DEB_BUILD_HARDENING_FORTIFY=1
|
|
10 | - export DEB_BUILD_HARDENING_FORMAT=1
|
|
11 | - export DEB_BUILD_HARDENING_PIE=1
|
|
12 | - |
|
13 | - tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/bison') %]
|
|
14 | - export PATH=/var/tmp/dist/bison/bin:$PATH
|
|
15 | -[% END %]
|
|
5 | +[% IF c("var/linux"); GET c("var/set_hardened_build_flags"); END %]
|
|
16 | 6 | |
17 | 7 | tar xf [% project %]-[% c("version") %].tar.xz
|
18 | 8 | cd [% project %]-[% c("version") %]
|
... | ... | @@ -23,20 +13,6 @@ cd [% project %]-[% c("version") %] |
23 | 13 | make -j[% c("num_procs") %] MAKEINFO=true
|
24 | 14 | make install MAKEINFO=true
|
25 | 15 | |
26 | -# gold is disabled for linux-cross, because of
|
|
27 | -# https://sourceware.org/bugzilla/show_bug.cgi?id=14995
|
|
28 | -# Once we upgrade to glibc 2.26, we might be able to enable gold for
|
|
29 | -# linux-cross.
|
|
30 | -[% IF c("var/linux") && ! c("var/linux-cross") %]
|
|
31 | - # Make sure gold is used with the hardening wrapper for full RELRO, see #13031.
|
|
32 | - cd $distdir/bin
|
|
33 | - rm ld
|
|
34 | - cp /usr/bin/hardened-ld ./
|
|
35 | - mv ld.gold ld.gold.real
|
|
36 | - ln -sf hardened-ld ld.gold
|
|
37 | - ln -sf ld.gold ld
|
|
38 | -[% END %]
|
|
39 | - |
|
40 | 16 | cd /var/tmp/dist
|
41 | 17 | [% c('tar', {
|
42 | 18 | tar_src => [ project ],
|
... | ... | @@ -22,7 +22,3 @@ input_files: |
22 | 22 | file_gpg_id: 1
|
23 | 23 | gpg_keyring: binutils.gpg
|
24 | 24 | - project: container-image |
25 | - - project: bison
|
|
26 | - name: bison
|
|
27 | - # We try to use system's bison, but Jessie's is too old
|
|
28 | - enable: '[% c("var/linux") %]' |
1 | -#!/bin/bash
|
|
2 | -[% c("var/set_default_env") -%]
|
|
3 | -distdir=/var/tmp/dist/bison
|
|
4 | -tar xf [% project %]-[% c("version") %].tar.xz
|
|
5 | -cd [% project %]-[% c("version") %]
|
|
6 | -./configure --prefix=$distdir
|
|
7 | -make -j[% c("num_procs") %]
|
|
8 | -make install
|
|
9 | -cd /var/tmp/dist
|
|
10 | -[% c('tar', {
|
|
11 | - tar_src => [ project ],
|
|
12 | - tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
|
|
13 | - }) %] |
1 | -# vim: filetype=yaml sw=2
|
|
2 | -version: 3.8.2
|
|
3 | -filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
|
|
4 | -container:
|
|
5 | - use_container: 1
|
|
6 | - |
|
7 | -input_files:
|
|
8 | - - URL: https://ftp.gnu.org/gnu/bison/bison-[% c("version") %].tar.xz
|
|
9 | - sha256: 9bba0214ccf7f1079c5d59210045227bcf619519840ebfa80cd3849cff5a5bf2
|
|
10 | - - project: container-image |
... | ... | @@ -5,7 +5,7 @@ distdir=/var/tmp/dist/[% project %] |
5 | 5 | [% pc('gcc', 'var/setup', { compiler_tarfile => c('input_files_by_name/gcc'),
|
6 | 6 | hardened_gcc => 0 }) %]
|
7 | 7 | [% END -%]
|
8 | -mkdir /var/tmp/build
|
|
8 | +mkdir -p /var/tmp/build
|
|
9 | 9 | tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
|
10 | 10 | cd /var/tmp/build/[% project %]-[% c('version') %]
|
11 | 11 | ./bootstrap --prefix=$distdir
|
... | ... | @@ -11,8 +11,8 @@ var: |
11 | 11 | |
12 | 12 | lsb_release:
|
13 | 13 | id: Debian
|
14 | - codename: jessie
|
|
15 | - release: 8.11
|
|
14 | + codename: stretch
|
|
15 | + release: 9.13
|
|
16 | 16 | |
17 | 17 | targets:
|
18 | 18 | no_containers:
|
... | ... | @@ -33,18 +33,13 @@ pre: | |
33 | 33 | # version of required packages.
|
34 | 34 | apt-get update -y -q
|
35 | 35 | [% IF pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) -%]
|
36 | - [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
|
|
37 | - [% IF c("var/linux-cross") -%]
|
|
38 | - dpkg --add-architecture [% c("var/arch_debian") %]
|
|
39 | - [% END -%]
|
|
40 | - [% IF c("var/container/suite") == "jessie" -%]
|
|
41 | - # We need to use faketime to run `apt-get update` on jessie, because of
|
|
42 | - # expired key. See tor-browser-build#40693
|
|
43 | - dpkg -i ./libfaketime_0.9.6-3_amd64.deb ./faketime_0.9.6-3_amd64.deb
|
|
44 | - [% END -%]
|
|
45 | - # Update the package cache again because `pre_pkginst` may change the
|
|
46 | - # package manager configuration.
|
|
47 | - [% IF c("var/container/suite") == "jessie" %]faketime '2018-12-24 08:15:42' [% END %]apt-get update -y -q
|
|
36 | + [% pc(c('origin_project'), 'var/pre_pkginst', { step => c('origin_step') }) %]
|
|
37 | + [% IF c("var/linux-cross") -%]
|
|
38 | + dpkg --add-architecture [% c("var/arch_debian") %]
|
|
39 | + [% END -%]
|
|
40 | + # Update the package cache again because `pre_pkginst` may change the
|
|
41 | + # package manager configuration.
|
|
42 | + apt-get update -y -q
|
|
48 | 43 | [% END -%]
|
49 | 44 | apt-get upgrade -y -q
|
50 | 45 | [%
|
... | ... | @@ -87,9 +82,3 @@ input_files: |
87 | 82 | - project: mmdebstrap-image
|
88 | 83 | target:
|
89 | 84 | - '[% c("var/container/suite") %]-[% c("var/container/arch") %]' |
90 | - - URL: http://archive.debian.org/debian/pool/main/f/faketime/faketime_0.9.6-3_amd64.deb
|
|
91 | - sha256sum: 19b2a01a2fae7e6d5a8b741fc0bc626451cb4c2cc884ee79f1136dd3c2c26213
|
|
92 | - enable: '[% c("var/container/suite") == "jessie" %]'
|
|
93 | - - URL: http://archive.debian.org/debian/pool/main/f/faketime/libfaketime_0.9.6-3_amd64.deb
|
|
94 | - sha256sum: 82747d5815b226cfed7f6f9a751bf8c20d457f3ba786add6017d6904dea4fdb4
|
|
95 | - enable: '[% c("var/container/suite") == "jessie" %]' |
1 | 1 | #!/bin/bash
|
2 | 2 | [% c("var/set_default_env") -%]
|
3 | -[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
|
|
3 | +[% pc(c('var/compiler'), 'var/setup', {
|
|
4 | + compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')),
|
|
5 | + hardened_gcc => 0, # don't set hardened_gcc since firefox is setting the hardened flags
|
|
6 | + }) %]
|
|
4 | 7 | distdir=/var/tmp/dist/[% project %]
|
5 | 8 | mkdir -p /var/tmp/build
|
6 | 9 | mkdir -p [% dest_dir _ '/' _ c('filename') %]
|
... | ... | @@ -96,7 +96,6 @@ targets: |
96 | 96 | - libgtk-3-dev
|
97 | 97 | - libdbus-glib-1-dev
|
98 | 98 | - libxt-dev
|
99 | - - hardening-wrapper
|
|
100 | 99 | # To pass configure since ESR 31
|
101 | 100 | - libpulse-dev
|
102 | 101 | # To pass configure since ESR 52
|
... | ... | @@ -116,7 +115,6 @@ targets: |
116 | 115 | - libgtk-3-dev:i386
|
117 | 116 | - libdbus-glib-1-dev:i386
|
118 | 117 | - libxt-dev:i386
|
119 | - - hardening-wrapper
|
|
120 | 118 | # To pass configure since ESR 31
|
121 | 119 | - libpulse-dev:i386
|
122 | 120 | # To pass configure since ESR 52
|
... | ... | @@ -10,6 +10,9 @@ |
10 | 10 | HOST_CXX=$CXX
|
11 | 11 | |
12 | 12 | export BINDGEN_CFLAGS='--gcc-toolchain=/var/tmp/dist/gcc'
|
13 | + |
|
14 | + # set LDFLAGS for Full RELRO
|
|
15 | + export LDFLAGS="-Wl,-z,relro -Wl,-z,now"
|
|
13 | 16 | [% END -%]
|
14 | 17 | |
15 | 18 | [% IF c("var/windows") -%]
|
1 | 1 | #!/bin/sh
|
2 | 2 | [% c("var/set_default_env") -%]
|
3 | -[% IF c("var/linux") -%]
|
|
4 | - # Config options for hardening-wrapper
|
|
3 | +mkdir -p /var/tmp/build
|
|
4 | +[% IF c("var/linux") && ! c("var/linux-cross") -%]
|
|
5 | + # Config options for hardening
|
|
5 | 6 | export DEB_BUILD_HARDENING=1
|
6 | - export DEB_BUILD_HARDENING_STACKPROTECTOR=1
|
|
7 | - export DEB_BUILD_HARDENING_FORTIFY=1
|
|
8 | 7 | # Since r223796 landed on GCC master enforcing PIE breaks GCC compilation.
|
9 | 8 | # The compiler gets built with `-fno-PIE` and linked with `-no-pie` as not
|
10 | 9 | # doing so would make precompiled headers (PCH) fail.
|
11 | 10 | # It is okay for us to omit this right now as it does not change any hardening
|
12 | 11 | # flags in the resulting bundles.
|
13 | - export DEB_BUILD_HARDENING_PIE=0
|
|
12 | + #
|
|
14 | 13 | # We need to disable `-Werror=format-security` as GCC does not build with it
|
15 | 14 | # anymore. It seems it got audited for those problems already:
|
16 | 15 | # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.
|
17 | - export DEB_BUILD_HARDENING_FORMAT=0
|
|
16 | + export DEB_BUILD_OPTIONS=hardening=+bindnow,+relro,-pie,+fortify,+stackprotector,+stackprotectorstrong,-format
|
|
17 | + eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
|
|
18 | + export OPT_LDFLAGS="$LDFLAGS"
|
|
18 | 19 | [% END -%]
|
19 | 20 | distdir=/var/tmp/dist/[% c("var/distdir") %]
|
20 | -mkdir /var/tmp/build
|
|
21 | 21 | |
22 | 22 | [% IF c("var/linux-cross") -%]
|
23 | 23 |
... | ... | @@ -18,26 +18,7 @@ var: |
18 | 18 | [% IF ! c("var/linux-cross") -%]
|
19 | 19 | export LD_LIBRARY_PATH=/var/tmp/dist/[% c("var/distdir") %]/lib64:/var/tmp/dist/[% c("var/distdir") %]/lib32
|
20 | 20 | [% END -%]
|
21 | - |
|
22 | - [% IF c("hardened_gcc") -%]
|
|
23 | - # Config options for hardening-wrapper
|
|
24 | - export DEB_BUILD_HARDENING=1
|
|
25 | - export DEB_BUILD_HARDENING_STACKPROTECTOR=1
|
|
26 | - export DEB_BUILD_HARDENING_FORTIFY=1
|
|
27 | - export DEB_BUILD_HARDENING_FORMAT=1
|
|
28 | - export DEB_BUILD_HARDENING_PIE=1
|
|
29 | - |
|
30 | - # Make sure we use the hardening wrapper
|
|
31 | - pushd /var/tmp/dist/[% c("var/distdir") %]/bin
|
|
32 | - cp /usr/bin/hardened-cc ./
|
|
33 | - mv [% c("var/target_prefix") %]gcc [% c("var/target_prefix") %]gcc.real
|
|
34 | - mv [% c("var/target_prefix") %]c++ [% c("var/target_prefix") %]c++.real
|
|
35 | - mv [% c("var/target_prefix") %]g++ [% c("var/target_prefix") %]g++.real
|
|
36 | - ln -sf hardened-cc [% c("var/target_prefix") %]gcc
|
|
37 | - ln -sf hardened-cc [% c("var/target_prefix") %]c++
|
|
38 | - ln -sf hardened-cc [% c("var/target_prefix") %]g++
|
|
39 | - popd
|
|
40 | - [% END -%]
|
|
21 | + [% IF c("hardened_gcc"); GET c("var/set_hardened_build_flags"); END %]
|
|
41 | 22 | |
42 | 23 | targets:
|
43 | 24 | windows:
|
... | ... | @@ -51,7 +32,6 @@ targets: |
51 | 32 | var:
|
52 | 33 | configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
|
53 | 34 | arch_deps:
|
54 | - - hardening-wrapper
|
|
55 | 35 | - libc6-dev-i386
|
56 | 36 | linux-cross:
|
57 | 37 | var:
|
... | ... | @@ -64,7 +44,6 @@ targets: |
64 | 44 | glibc_version: 2.26
|
65 | 45 | linux_version: 4.10.1
|
66 | 46 | arch_deps:
|
67 | - - hardening-wrapper
|
|
68 | 47 | - libc6-dev-i386
|
69 | 48 | - gawk
|
70 | 49 | linux-arm:
|
1 | ---- o/apt-key 2022-11-30 14:57:12.742026261 +0000
|
|
2 | -+++ n/apt-key 2022-12-01 08:38:08.170140893 +0000
|
|
3 | -@@ -815,11 +815,18 @@
|
|
4 | - create_gpg_home
|
|
5 | - fi
|
|
6 | - setup_merged_keyring
|
|
7 | -+ tmpfile=$(mktemp)
|
|
8 | -+ set +e
|
|
9 | - if [ -n "$FORCED_KEYRING" ]; then
|
|
10 | -- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
|
|
11 | -+ (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@")
|
|
12 | - else
|
|
13 | -- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
|
|
14 | -+ (eval "exec ${GPGSTATUSFD}>$tmpfile"; "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@")
|
|
15 | - fi
|
|
16 | -+ err=$?
|
|
17 | -+ set -e
|
|
18 | -+ cat "$tmpfile" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' >&${GPGSTATUSFD}
|
|
19 | -+ rm -f "$tmpfile"
|
|
20 | -+ exit $err
|
|
21 | - ;;
|
|
22 | - help)
|
|
23 | - usage |
... | ... | @@ -6,7 +6,7 @@ container: |
6 | 6 | use_container: 1
|
7 | 7 | |
8 | 8 | var:
|
9 | - ubuntu_version: 22.04.1
|
|
9 | + ubuntu_version: 22.04.2
|
|
10 | 10 | |
11 | 11 | pre: |
|
12 | 12 | #!/bin/sh
|
... | ... | @@ -16,14 +16,6 @@ pre: | |
16 | 16 | apt-get update -y -q
|
17 | 17 | apt-get install -y -q debian-archive-keyring ubuntu-keyring mmdebstrap gnupg
|
18 | 18 | |
19 | - [% IF c("var/container/suite") == "jessie" -%]
|
|
20 | - apt-get install -y -q patch
|
|
21 | - cd /usr/bin
|
|
22 | - # The gpg key for jessie is expired. We patch apt-key to accept expired keys.
|
|
23 | - patch -p1 < $rootdir/apt-key-allow-expired-key.patch
|
|
24 | - cd $rootdir
|
|
25 | - [% END -%]
|
|
26 | - |
|
27 | 19 | export SOURCE_DATE_EPOCH='[% c("timestamp") %]'
|
28 | 20 | tar -xf [% c('input_files_by_name/mmdebstrap') %]
|
29 | 21 | ./mmdebstrap/mmdebstrap --mode=unshare [% c("var/container/mmdebstrap_opt") %] [% c("var/container/suite") %] output.tar.gz [% c("var/container/debian_mirror") %]
|
... | ... | @@ -39,16 +31,16 @@ pre: | |
39 | 31 | mv output.tar.gz [% dest_dir %]/[% c("filename") %]
|
40 | 32 | |
41 | 33 | targets:
|
42 | - jessie-amd64:
|
|
34 | + stretch-amd64:
|
|
43 | 35 | var:
|
44 | - minimal_apt_version: 1.0.9.8.6
|
|
45 | - |
|
36 | + minimal_apt_version: 1.4.11
|
|
46 | 37 | container:
|
47 | - suite: jessie
|
|
38 | + suite: stretch
|
|
48 | 39 | arch: amd64
|
49 | 40 | debian_mirror: >
|
50 | - "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian/ jessie main"
|
|
51 | - "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://archive.debian.org/debian-archive/debian-security/ jessie/updates main"
|
|
41 | + "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian/ stretch main"
|
|
42 | + "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://archive.debian.org/debian-archive/debian-security/ stretch/updates main"
|
|
43 | + |
|
52 | 44 | |
53 | 45 | bullseye-amd64:
|
54 | 46 | var:
|
... | ... | @@ -62,6 +54,4 @@ input_files: |
62 | 54 | name: mmdebstrap
|
63 | 55 | - URL: 'https://cdimage.ubuntu.com/ubuntu-base/releases/[% c("var/ubuntu_version") %]/release/ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
|
64 | 56 | filename: 'container-image_ubuntu-base-[% c("var/ubuntu_version") %]-base-amd64.tar.gz'
|
65 | - sha256sum: e1f9200c99da008a473c9ae7b51e13f5ea05dc4c2e12beb43f0f9cbbbf6216f4
|
|
66 | - - filename: apt-key-allow-expired-key.patch
|
|
67 | - enable: '[% c("var/container/suite") == "jessie" %]' |
|
57 | + sha256sum: 373f064df30519adc3344a08d774f437caabd1479d846fa2ca6fed727ea7a53d |
... | ... | @@ -8,7 +8,7 @@ distdir=/var/tmp/dist/[% project %] |
8 | 8 | [% IF c("var/linux") -%]
|
9 | 9 | [% pc('python', 'var/setup', { python_tarfile => c('input_files_by_name/python') }) %]
|
10 | 10 | [% END -%]
|
11 | -mkdir /var/tmp/build
|
|
11 | +mkdir -p /var/tmp/build
|
|
12 | 12 | tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
|
13 | 13 | cd /var/tmp/build/[% project %]-[% c('version') %]
|
14 | 14 |
... | ... | @@ -50,7 +50,7 @@ EOF |
50 | 50 | [% END %]
|
51 | 51 | |
52 | 52 | cd $rootdir
|
53 | -mkdir /var/tmp/build
|
|
53 | +mkdir -p /var/tmp/build
|
|
54 | 54 | tar -C /var/tmp/build -xf [% c('input_files_by_name/rust') %]
|
55 | 55 | cd /var/tmp/build/rustc-[% c('version') %]-src
|
56 | 56 |
... | ... | @@ -3,7 +3,7 @@ |
3 | 3 | [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
|
4 | 4 | distdir=/var/tmp/dist/sqlcipher
|
5 | 5 | builddir=/var/tmp/build/[% project %]
|
6 | -mkdir /var/tmp/build
|
|
6 | +mkdir -p /var/tmp/build
|
|
7 | 7 | tar -C /var/tmp/dist -xf [% c('input_files_by_name/nss') %]
|
8 | 8 | |
9 | 9 | [% IF ! c("var/sqlcipher-linux-x86_64") -%]
|
1 | 1 | #!/bin/sh
|
2 | 2 | [% c("var/set_default_env") -%]
|
3 | 3 | distdir=/var/tmp/dist/StemNS
|
4 | -mkdir /var/tmp/build
|
|
5 | -mkdir /var/tmp/dist
|
|
4 | +mkdir -p /var/tmp/build
|
|
5 | +mkdir -p /var/tmp/dist
|
|
6 | 6 | |
7 | 7 | # Extract StemNS
|
8 | 8 | tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.gz
|
... | ... | @@ -491,7 +491,7 @@ targets: |
491 | 491 | # Temporarily disabled until we have a fix for tor-browser-build#40845
|
492 | 492 | #namecoin: '[% c("var/nightly") && c("var/tor-browser") %]'
|
493 | 493 | container:
|
494 | - suite: jessie
|
|
494 | + suite: stretch
|
|
495 | 495 | arch: amd64
|
496 | 496 | pre_pkginst: dpkg --add-architecture i386
|
497 | 497 | deps:
|
... | ... | @@ -503,13 +503,18 @@ targets: |
503 | 503 | - build-essential
|
504 | 504 | - python
|
505 | 505 | - bison
|
506 | - - hardening-wrapper
|
|
507 | 506 | - automake
|
508 | 507 | - libtool
|
509 | 508 | - zip
|
510 | 509 | - unzip
|
511 | 510 | - xz-utils
|
512 | 511 | - patch
|
512 | + - less
|
|
513 | + set_hardened_build_flags: |
|
|
514 | + export DEB_BUILD_HARDENING=1
|
|
515 | + export DEB_BUILD_OPTIONS='hardening=+bindnow,+relro,+pie,+fortify,+stackprotector,+stackprotectorstrong,+format'
|
|
516 | + mkdir -p /var/tmp/build
|
|
517 | + eval $(cd /var/tmp/build; dpkg-buildflags --export=sh)
|
|
513 | 518 | linux-asan:
|
514 | 519 | var:
|
515 | 520 | asan: 1
|