DEB_BUILD_CFLAGS and DEB_BUILD_LDFLAGS for packaging

Martin Pitt martin.pitt at ubuntu.com
Fri Apr 20 12:51:11 BST 2007 

Hi,

Kees Cook [2007-04-18 10:15 -0700]:
> I'd really like to get some momentum started on getting a set of default 
> compiler toolchain options available.  In the past, adding 
> -fstack-protection wasn't done in a way everyone was happy with, and
> introducing DEB_BUILD_CFLAGS and DEB_BUILD_LDFLAGS was discussed as one 
> way to make things easier to handle in the future.  (I played briefly 
> with trying to develop a wrapper for gcc, but this did not turn out 
> well.)

Hm, I do not see a major obstacle to this; after all, it works well
for ccache. What were the particular problems?

> I'm especially interested in having a place to put distro-wide 
> compile-time defaults so things like -relro and -pie can be more easily 
> experimented with.  Unfortunately I am neither a toolchain nor packaging 
> expert, so I'll need help chasing this task.  I'd especially like help 
> to define the specific set of steps needs to successfully get it 
> implemented.  I'm hoping to get pitti and doko involved in this bit.  :)

(1) The long-term goal that was dicussed previously was  that all
source packages need to be converted to integrate these environment
variables into the CFLAGS they pass to their configure/Makefiles. This
is the only way that guarantees 100% build reproducability (with
calling 'debian/rules build'). Obviously this is a huge task, will
take years to be completed, and requires that the Debian maintainers
agree to this.

(2) As an intermediate solution we could put gcc wrappers into
dpkg-buildpackage which prepend those values to the arguments passed
to the real gcc, so that packages can still override those defaults
with CFLAGS. This will provide almost the same effect except that
calling 'debian/rules build' will not do the same thing that
dpkg-buildpackage -b will do. It has the huge advantage of not
requiring to touch every source package, so I think it is totally
adequate for testing at least. Of course it might miss some special
cases in source packages which hardcode the path to gcc, but we can
certainly live with that for a while.

A more interesting question is where to actually define the defaults
for those variables? With solution (2) that is easy, we can put them
into a conffile and ship that in dpkg-buildpackage. If we aim for (1),
then the only place that seems sensible to me is /etc/environment.

I am still looking for a way how to shy around (1), since the
gain/effort ratio compared to (2) is so ludicrously small. However,
the only solution for this that comes to my mind is to just define
'debian/rules build' as 'not the way how to build an official deb' and
bless dpkg-buildpackage as the sole official interface that guarantees
reproduction of buildd results.

Looking forward to comments from others,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20070420/fb9175c3/attachment.pgp

More information about the ubuntu-devel mailing list