[openssl-dev] OpenSSL version 1.1.0 pre release 2 published

Kurt Roeckx kurt at roeckx.be
Sun Jan 17 13:16:04 UTC 2016 

On Sun, Jan 17, 2016 at 01:14:14AM +0100, Richard Levitte wrote:
> OPT_FLAGS would be for optimizing, do I get that right?  I suggest you
> have a look at Configurations/10-main.conf, you might notice
> configuration items like debug_cflags, release_cflags, debug_lflags
> and release_lflags.  If you have a look at my refactor-build branch,
> you will see a fairly thorough Configurations/README.  If you look the
> commit titled "Refactor config - move templates docs asm templates to
> Configurations", you'll find the documentation that's applicable to
> what Configure in the master branch supports...  later editions are
> currently only supported in my branch.

In Debian we have a system that where you can override things like
the CFLAGS, and I wonder how easy it will be to integrate that
with your new system.

We have a tool called dpkg-buildflags.  By default it now returns:
$ dpkg-buildflags
CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
FCFLAGS=-g -O2 -fstack-protector-strong
FFLAGS=-g -O2 -fstack-protector-strong
GCJFLAGS=-g -O2 -fstack-protector-strong
LDFLAGS=-Wl,-z,relro
OBJCFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security
OBJCXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security

In the 1.0.2 branch I use this:
my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";

And then use $debian_cflags in the targets.

There were was no way to separate clfags/lfdlags, so I needed to
combine it.

dpkg-buildflags can return different things depending on environment variables.
Some examples:
$ DEB_BUILD_OPTIONS=noopt dpkg-buildflags --get CFLAGS
-g -O0 -fstack-protector-strong -Wformat -Werror=format-security

$ DEB_BUILD_OPTIONS=hardening=-all dpkg-buildflags --get CFLAGS
-g -O2

$ DEB_CFLAGS_APPEND=-O3 dpkg-buildflags --get CFLAGS
-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -O3


There are environment variables for both the maintainer to set the
defaults and someone who then wants to build the package with
different settings.

(I should move the -Wa,--noexecstack -Wall to environment
variables.)

Is there an easy way to I can override the flags with
dpkg-buildflags?


Kurt

More information about the openssl-dev mailing list